Monday, August 08, 2005

Using md5deep

Thank you to Harlan Carvey for reminding me of Jesse Kornblum's md5deep. md5deep is a suite of tools to recursively compute a variety of hashes. It is not limited to the MD5 algorithm. In the example below I run the sha256deep tool to provide sha256 hashes of various files. The -r flag initializes recursive behavior, and -z says display file size before the hash.

bourque:/home/analyst$ sha256deep -r -e -z *

93506 1a6da6a2a849eb27fb7522939afab63ec59bcdb9412c2460fe611543b573d95f
/home/analyst/2005-041-santini_air/sample

111 43450978e07f87dfbc4918fec928209c54f4d5804367960fbde617e71ee50985
/home/analyst/2005-041-santini_air/sample.sha256

209.180.018.089.02001-156.023...: 391MB of 1405MB done, 00:01:22 left

The last entry shows sha256deep is busy computing the hash for a 1405 MB file. By passing the -e flag, I told the program to estimate time until hash completion. This is useful for processing large files. The resulting hash is eventually shown below.

1473577526 3f4eb24ae943dba4bdb1126540d309854824ac64ff6f288020c9c2bdc4793de9
/home/analyst/2005-041-santini_air/209.180.018.089.02001-156.023.170.238.02001

md5deep and related tools simplify maintaining forensic evidence as the program can rapidly produce hashes in an investigator-friendly format. There's also a FreeBSD port. For forensic applications, you would save the hashes to a file instead of standard output.

2 comments:

Kirby Kuehl said...

If interested, wininterrogate http://winfingerprint.sourceforge.net can do something similar to md5deep. It only supports MD5 and SHA-1 currently but can also provide some extra information that is useful. Win32 platform only.

Mark Kealiher said...

I maintain a list of MD5 hashes for malicious or suspect files that I come across in my work. To use such a list as a comparison source be sure to have exactly two spaces between the hash and the filename. Otherwise md5deep won't work properly.