hashdeep is a cross-platform command-line utility for computing and comparing hash values of files. It supports multiple hash algorithms (MD5, SHA-1, SHA-256, Tiger, Whirlpool) and is commonly used in digital forensics, data integrity verification, and security auditing. hashdeep can recursively hash directories, compare against known-hash databases, and generate audit trails.
sudo apt-get update
sudo apt-get install hashdeep
brew install hashdeep
git clone https://github.com/jessek/hashdeep.git
cd hashdeep
./configure
make
sudo make install
hashdeep -v
| Command | Description |
|---|
hashdeep file.txt | Hash a single file (MD5, SHA-1, SHA-256 default) |
hashdeep -r directory/ | Recursively hash all files in directory |
hashdeep *.pdf | Hash all PDF files in current directory |
hashdeep -c md5 file.txt | Hash using MD5 only |
hashdeep -c sha256 file.txt | Hash using SHA-256 only |
# Single file with default hashes
hashdeep myfile.iso
# Recursive directory hashing
hashdeep -r /path/to/evidence/
# List supported algorithms
hashdeep -h | grep "^-c"
# Multiple algorithms at once
hashdeep -c md5,sha1,sha256 document.pdf
| Algorithm | Flag | Output Size | Use Case |
|---|
| MD5 | -c md5 | 128-bit (32 hex) | Legacy, not collision-resistant |
| SHA-1 | -c sha1 | 160-bit (40 hex) | Deprecated for new work |
| SHA-256 | -c sha256 | 256-bit (64 hex) | Recommended standard |
| Tiger | -c tiger | 192-bit (48 hex) | Less common |
| Whirlpool | -c whirlpool | 512-bit (128 hex) | Strong hashing |
# MD5 only (fast, legacy support)
hashdeep -c md5 largefile.bin
# SHA-256 only (recommended)
hashdeep -c sha256 firmware.img
# Multiple algorithms
hashdeep -c md5,sha1,sha256 evidence.dd
# Tiger hash
hashdeep -c tiger /path/to/files/
# Whirlpool (strongest)
hashdeep -c whirlpool secure_data.zip
| Command | Description |
|---|
hashdeep -r directory/ | Hash all files recursively |
hashdeep -r -e directory/ | Include empty files in recursion |
hashdeep -r -s directory/ | Show file size in output |
hashdeep -r -t directory/ | Use tab-delimited output format |
# Generate hash file for entire directory
hashdeep -r /evidence > evidence_hashes.txt
# Hash with tab-delimited format (easier parsing)
hashdeep -r -t /evidence > hashes.txt
# Hash and include file size information
hashdeep -r -s /evidence > hashes_with_size.txt
# Recursive hash of USB device (forensics)
hashdeep -r /media/usb_device/ > usb_audit.txt
%%%% HASHDEEP-1.0
%%%% size,md5,sha1,sha256,filename
123456,d41d8cd98f00b204e9800998ecf8427e,da39a3ee5e6b4b0d3255bfef95601890afd80709,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,/path/to/file.txt
| Command | Description |
|---|
hashdeep -r -k hashes.txt directory/ | Compare directory against known-hash file |
hashdeep -r -a -k hashes.txt directory/ | Audit mode with comparison |
hashdeep -r -x directory/ | Compare and exclude matches (show new only) |
hashdeep -r -m hashes.txt directory/ | Match new files against database |
# Verify directory against saved hashes
hashdeep -r -k baseline_hashes.txt /evidence/
# Audit mode (detailed output)
hashdeep -r -a -k baseline_hashes.txt /evidence/
# Find new files (not in baseline)
hashdeep -r -x /evidence/ -k baseline_hashes.txt
# Match against NIST NSRL database
hashdeep -r -k nsrl.hsh /suspect/data/
| Flag | Description |
|---|
-s | Show file size in output |
-t | Tab-delimited output format |
-i | Ignore case in filenames |
-j num | Use multiple threads (parallel hashing) |
-b | Bare mode (hash and filename only) |
# Parallel hashing with 4 threads
hashdeep -r -j 4 /large_directory/
# Tab-separated format for import
hashdeep -r -t /evidence > evidence.tsv
# Bare output (minimal formatting)
hashdeep -r -b /data > hashes.txt
# Case-insensitive matching
hashdeep -r -i -k hashes.txt /evidence/
# Step 1: Hash initial evidence
hashdeep -r -c sha256 /mnt/evidence > evidence_baseline.txt
# Step 2: Archive baseline
cp evidence_baseline.txt evidence_baseline.bak
# Step 3: Later verification
hashdeep -r -c sha256 -k evidence_baseline.txt /mnt/evidence > verification.txt
# Step 4: Compare outputs
diff evidence_baseline.txt verification.txt
# Create forensic image and hash
dd if=/dev/sda of=disk_image.dd
hashdeep -c sha256,md5 disk_image.dd > disk_image.hashes
# Verify image integrity after transfer
hashdeep -c sha256,md5 -k disk_image.hashes disk_image.dd
# Create known-good baseline
hashdeep -r -c md5,sha256 /clean/system > system_baseline.hsh
# Later check for unauthorized changes
hashdeep -r -c md5,sha256 -k system_baseline.hsh /system/
# Generate difference report
hashdeep -r -c md5,sha256 -a -k system_baseline.hsh /system/ > audit_report.txt
# Hash files modified in last 7 days
find /data -type f -mtime -7 | xargs hashdeep -c sha256
# Hash files larger than 1GB
find /data -type f -size +1G | xargs hashdeep
# Create hash file for cloud storage verification
hashdeep -r -t /project > project_hashes.txt
tar czf project.tar.gz project/ project_hashes.txt
# Recipient verifies:
hashdeep -r -t -k project_hashes.txt project/
# Create both MD5 and SHA-256
hashdeep -r -c md5,sha256 /data > checksums.txt
# Extract only SHA-256 for reporting
grep sha256 checksums.txt > sha256_only.txt
# Run with sudo for system directories
sudo hashdeep -r /etc/ > etc_hashes.txt
# Hash with permission preservation
sudo hashdeep -r -s /evidence > evidence_hashes.txt
# Use multiple threads for large directories
hashdeep -r -j 8 /terabyte_drive/
# Limit to specific hash (faster)
hashdeep -r -c sha256 /data/ > faster_hashes.txt
# Verify against NIST hash database
hashdeep -r -k nist_nsrl.hsh /suspected_data/
# Find exact hash matches
hashdeep -r /data | grep -f known_hashes.txt
# After downloading ISO
hashdeep ubuntu-20.04-desktop-amd64.iso
# Compare against published hash on website
# Create baseline of system directories
hashdeep -r -c sha256 /usr /lib /bin > system_baseline.txt
# Daily verification
hashdeep -r -c sha256 -k system_baseline.txt /usr /lib /bin
# Snapshot suspicious directory
hashdeep -r -s /var/www/compromised/ > incident_snapshot.txt
# Later analysis
hashdeep -r -a -k incident_snapshot.txt /var/www/compromised/
- md5sum / sha256sum - Single-algorithm hash utilities
- ssdeep - Fuzzy hashing for malware comparison
- md5deep - Similar to hashdeep with different output format
- openssl - Cryptographic hashing alternative
- sha1sum - SHA-1 specific hashing
