hashdeep

Overview

hashdeep is a cross-platform command-line utility for computing and comparing hash values of files. It supports multiple hash algorithms (MD5, SHA-1, SHA-256, Tiger, Whirlpool) and is commonly used in digital forensics, data integrity verification, and security auditing. hashdeep can recursively hash directories, compare against known-hash databases, and generate audit trails.

Installation

Linux (Debian/Ubuntu)

sudo apt-get update
sudo apt-get install hashdeep

macOS

brew install hashdeep

From Source

git clone https://github.com/jessek/hashdeep.git
cd hashdeep
./configure
make
sudo make install

Verify Installation

hashdeep -v

Basic Usage

Simple Hash Computation

Command	Description
hashdeep file.txt	Hash a single file (MD5, SHA-1, SHA-256 default)
hashdeep -r directory/	Recursively hash all files in directory
hashdeep *.pdf	Hash all PDF files in current directory
hashdeep -c md5 file.txt	Hash using MD5 only
hashdeep -c sha256 file.txt	Hash using SHA-256 only

Examples

# Single file with default hashes
hashdeep myfile.iso

# Recursive directory hashing
hashdeep -r /path/to/evidence/

# List supported algorithms
hashdeep -h | grep "^-c"

# Multiple algorithms at once
hashdeep -c md5,sha1,sha256 document.pdf

Hash Algorithms

Supported Algorithms

Algorithm	Flag	Output Size	Use Case
MD5	-c md5	128-bit (32 hex)	Legacy, not collision-resistant
SHA-1	-c sha1	160-bit (40 hex)	Deprecated for new work
SHA-256	-c sha256	256-bit (64 hex)	Recommended standard
Tiger	-c tiger	192-bit (48 hex)	Less common
Whirlpool	-c whirlpool	512-bit (128 hex)	Strong hashing

Computing Specific Hashes

# MD5 only (fast, legacy support)
hashdeep -c md5 largefile.bin

# SHA-256 only (recommended)
hashdeep -c sha256 firmware.img

# Multiple algorithms
hashdeep -c md5,sha1,sha256 evidence.dd

# Tiger hash
hashdeep -c tiger /path/to/files/

# Whirlpool (strongest)
hashdeep -c whirlpool secure_data.zip

Recursive Hashing and Audit Trails

Recursive Operations

Command	Description
hashdeep -r directory/	Hash all files recursively
hashdeep -r -e directory/	Include empty files in recursion
hashdeep -r -s directory/	Show file size in output
hashdeep -r -t directory/	Use tab-delimited output format

Creating Hash Audit Files

# Generate hash file for entire directory
hashdeep -r /evidence > evidence_hashes.txt

# Hash with tab-delimited format (easier parsing)
hashdeep -r -t /evidence > hashes.txt

# Hash and include file size information
hashdeep -r -s /evidence > hashes_with_size.txt

# Recursive hash of USB device (forensics)
hashdeep -r /media/usb_device/ > usb_audit.txt

Output Format

%%%% HASHDEEP-1.0
%%%% size,md5,sha1,sha256,filename
123456,d41d8cd98f00b204e9800998ecf8427e,da39a3ee5e6b4b0d3255bfef95601890afd80709,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,/path/to/file.txt

Hash Comparison and Verification

Comparing Against Known Hashes

Command	Description
hashdeep -r -k hashes.txt directory/	Compare directory against known-hash file
hashdeep -r -a -k hashes.txt directory/	Audit mode with comparison
hashdeep -r -x directory/	Compare and exclude matches (show new only)
hashdeep -r -m hashes.txt directory/	Match new files against database

Matching Operations

# Verify directory against saved hashes
hashdeep -r -k baseline_hashes.txt /evidence/

# Audit mode (detailed output)
hashdeep -r -a -k baseline_hashes.txt /evidence/

# Find new files (not in baseline)
hashdeep -r -x /evidence/ -k baseline_hashes.txt

# Match against NIST NSRL database
hashdeep -r -k nsrl.hsh /suspect/data/

Advanced Options

Output Formatting

Flag	Description
-s	Show file size in output
-t	Tab-delimited output format
-i	Ignore case in filenames
-j num	Use multiple threads (parallel hashing)
-b	Bare mode (hash and filename only)

Practical Examples

# Parallel hashing with 4 threads
hashdeep -r -j 4 /large_directory/

# Tab-separated format for import
hashdeep -r -t /evidence > evidence.tsv

# Bare output (minimal formatting)
hashdeep -r -b /data > hashes.txt

# Case-insensitive matching
hashdeep -r -i -k hashes.txt /evidence/

Forensic Workflows

Digital Evidence Chain of Custody

# Step 1: Hash initial evidence
hashdeep -r -c sha256 /mnt/evidence > evidence_baseline.txt

# Step 2: Archive baseline
cp evidence_baseline.txt evidence_baseline.bak

# Step 3: Later verification
hashdeep -r -c sha256 -k evidence_baseline.txt /mnt/evidence > verification.txt

# Step 4: Compare outputs
diff evidence_baseline.txt verification.txt

Full Forensic Imaging Hash Verification

# Create forensic image and hash
dd if=/dev/sda of=disk_image.dd
hashdeep -c sha256,md5 disk_image.dd > disk_image.hashes

# Verify image integrity after transfer
hashdeep -c sha256,md5 -k disk_image.hashes disk_image.dd

Known-Hash Database Creation

# Create known-good baseline
hashdeep -r -c md5,sha256 /clean/system > system_baseline.hsh

# Later check for unauthorized changes
hashdeep -r -c md5,sha256 -k system_baseline.hsh /system/

# Generate difference report
hashdeep -r -c md5,sha256 -a -k system_baseline.hsh /system/ > audit_report.txt

Integration with Other Tools

Pipeline with find

# Hash files modified in last 7 days
find /data -type f -mtime -7 | xargs hashdeep -c sha256

# Hash files larger than 1GB
find /data -type f -size +1G | xargs hashdeep

Export for External Verification

# Create hash file for cloud storage verification
hashdeep -r -t /project > project_hashes.txt
tar czf project.tar.gz project/ project_hashes.txt

# Recipient verifies:
hashdeep -r -t -k project_hashes.txt project/

Comparison with Checksums

# Create both MD5 and SHA-256
hashdeep -r -c md5,sha256 /data > checksums.txt

# Extract only SHA-256 for reporting
grep sha256 checksums.txt > sha256_only.txt

Troubleshooting

Permission Issues

# Run with sudo for system directories
sudo hashdeep -r /etc/ > etc_hashes.txt

# Hash with permission preservation
sudo hashdeep -r -s /evidence > evidence_hashes.txt

Performance Optimization

# Use multiple threads for large directories
hashdeep -r -j 8 /terabyte_drive/

# Limit to specific hash (faster)
hashdeep -r -c sha256 /data/ > faster_hashes.txt

Finding Matches in Large Datasets

# Verify against NIST hash database
hashdeep -r -k nist_nsrl.hsh /suspected_data/

# Find exact hash matches
hashdeep -r /data | grep -f known_hashes.txt

Common Workflows

Verify Downloaded Files

# After downloading ISO
hashdeep ubuntu-20.04-desktop-amd64.iso
# Compare against published hash on website

System Integrity Monitoring

# Create baseline of system directories
hashdeep -r -c sha256 /usr /lib /bin > system_baseline.txt

# Daily verification
hashdeep -r -c sha256 -k system_baseline.txt /usr /lib /bin

Incident Response

# Snapshot suspicious directory
hashdeep -r -s /var/www/compromised/ > incident_snapshot.txt

# Later analysis
hashdeep -r -a -k incident_snapshot.txt /var/www/compromised/

Related Tools

• md5sum / sha256sum - Single-algorithm hash utilities
• ssdeep - Fuzzy hashing for malware comparison
• md5deep - Similar to hashdeep with different output format
• openssl - Cryptographic hashing alternative
• sha1sum - SHA-1 specific hashing

Resources

• hashdeep GitHub
• NIST Hash Set Database
• Digital Forensics Documentation