A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Man page of HASHDEEP


Section: United States Air Force (1)
Updated: v3.3 - 4 Apr 2009
Index of this MAN page

Back To MAN Pages From BackTrack 5 R1 Master List



hashdeep - Compute, compare, or audit multiple message digests



hashdeep -V | -h
hashdeep [-c <alg1>[,<alg2>]] [-k <file>] [-i <size>] [-amxwMXrespblvv] [FILES]



Computes multiple hashes, or message digests, for any number of files while optionally recursively digging through the directory structure. By default the program computes MD5 and SHA-256 hashes, equivalent to -c md5,sha256. Can also take a list of known hashes and display the filenames of input files whose hashes either do or do not match any of the known hashes. Can also use a list of known hashes to audit a set of FILES. Errors are reported to standard error. If no FILES are specified, reads from standard input.

-c <alg1>[,<alg2>...]
Computation mode. Compute hashes of FILES using the algorithms specified. Legal values are md5, sha1, sha256, tiger, and whirlpool.

Load a file of known hashes. This flag is required when using any of the matching or audit modes (i.e. -m, -x, -M, -X, or -a) This flag may be used more than once to add multiple sets of known hashes.

Loading sets with different hash algorithms can sometimes generate spurrious hash collisions. For example, let's say we have two hash sets, A and B, which have some overlapping files. For example, the file /usr/bin/bad is in both sets. In A we've recorded the MD5 and SHA-256. In B we've recorded the MD5, SHA-1, and SHA-256. Because these two records are different, they will both be loaded. When the program computes all three hashes and compares them to the set of knowns, we will get an exact match from the record in B and a collision from the record in A.

Audit mode. Each input file is compared against the set of knowns. An audit is said to pass if each input file is matched against exactly one file in set of knowns. Any collisions, new files, or missing files will make the audit fail. Using this flag alone produces a message, either "Audit passed" or "Audit Failed". Use the verbose modes, -v, for more details. Using -v prints the number of files in each category. Using -v a second time prints any discrepancies. Using -v a third time prints the results for every file examined and every known file.
Due to limitations in the program, any filenames with Unicode characters will appear to have moved during an audit. See the section "UNICODE SUPPORT" below.

Positive matching, requires at least one use of the -k flag. The input files are examined one at a time, and only those files that match the list of known hashes are output. The only acceptable format for known hashes is the output of previous hashdeep runs.
If standard input is used with the -m flag, displays "stdin" if the input matches one of the hashes in the list of known hashes. If the hash does not match, the program displays no output.
This flag may not be used in conjunction with the -x, -X, or -a flags. See the section "UNICODE SUPPORT" below.

Negative matching. Same as the -m flag above, but does negative matching. That is, only those files NOT in the list of known hashes are displayed.
This flag may not be used in conjunction with the -m, -M, or -a flags. See the section "UNICODE SUPPORT" below.

When used with positive matching modes (-m,-M) displays the filename of the known hash that matched the input file. See the section "UNICODE SUPPORT" below.

-M and -X
Same as -m and -x above, but displays the hash for each file that does (or does not) match the list of known hashes.

Enables recursive mode. All subdirectories are traversed. Please note that recursive mode cannot be used to examine all files of a given file extension. For example, calling hashdeep -r *.txt will examine all files in directories that end in .txt.

Displays a progress indicator and estimate of time remaining for each file being processed. Time estimates for files larger than 4GB are not available on Windows. This mode may not be used with th -p mode.

-i <size>
Size threshold mode. Only hash files smaller than the given the threshold. Sizes may be specified using multiplers b,k,m,g,t,p, and e.

Enables silent mode. All error messages are supressed.

Piecewise mode. Breaks files into chunks before hashing. Chunks may be specified using multiplers b,k,m,g,t,p, and e. (Never let it be said that the author didn’t plan ahead.)

Enables bare mode. Strips any leading directory information from displayed filenames. This flag may not be used in conjunction with the -l flag.

Enables relative file paths. Instead of printing the absolute path for each file, displays the relative file path as indicated on the command line. This flag may not be used in conjunction with the -b flag.

Enables verbose mode. Use again to make the program more verbose. This mostly changes the behvaior of the audit mode, -a.

Show a help screen and exit.

Show the version number and exit.



As of version 2.0 the program can process input files with Unicode characters in their filenames on Windows systems. In the program's output, however, each Unicode character is represented with a question mark (?). Note that Unicode characters are not supported in the files containing known hashes. You can specify a file of known hashes that has Unicode characters in its name by using tab completition or an asterisk (e.g. hashdeep -mk *.txt where there is only one file with a .txt extension).



Returns zero on success, one on error.



hashdeep was written by Jesse Kornblum, md5deep [at] jessekornblum [dot] com.



Using the -r flag cannot be used to recursively process all files of a given extension in a directory. This is a feature, not a bug. If you need to do this, use the find(1) command.

The program will fail if you attempt to compare 2^64 or more input files against a set of known files.



We take all bug reports very seriously. Any bug that jeopardizes the forensic integrity of this program could have serious consequenses on people's lives. When submitting a bug report, please include a description of the problem, how you found it, and your contact information.

Send bug reports to: md5deep [at] jessekornblum [dot] com



This program is a work of the US Government. In accordance with 17 USC 105, copyright protection is not available for any work of the US Government. This program is PUBLIC DOMAIN. Portions of this program contain code that is licensed under the terms of the General Public License (GPL). Those portions retain their original copyright and license. See the file COPYING for more details.

There is NO warranty for this program; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.



More information and installation instructions can be found in the README file. Current versions of both documents can be found on the project homepage: http://md5deep.sourceforge.net/

The MD5 specification, RFC 1321, is available at

The SHA-1 specification, RFC 3174, is available at

The SHA-256 specification, FIPS 180-2, is available at

The Tiger specification is available at

The Whirlpool specification is available at




This document was created by man2html, using the manual pages.
Time: 07:34:21 GMT, September 13, 2011

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast