🌑

Linhost.info

Home VM

Using Hashdeep To Ensure Data Integrity

On a previous post I discussed the value of md5deep, now I am going to show you another tool by the name of hashdeep. As expected with hashdeep you can: recurse entire directories, perform matching, audit known hashes. Hashdeep grants auditing capabilities to the administrator. Official Hashdeep description

Computes multiple hashes, or message digests, for any number of files while optionally recursively digging through the directory structure. By default the program computes MD5 and SHA-256 hashes, equivalent to -c md5,sha256. Can also take a list of known hashes and display the filenames of input files whose hashes either do or do not match any of the known hashes. Can also use a list of known hashes to audit a set of FILES. Errors are reported to standard error. If no FILES are specified, reads from standard input.

Hashdeep is the indicated tool if you need to recurse entire directories, I have personally hashed directories as large as 300GB without any problems.

Recursive directory hashing

The most common use, hashdeep can recurse a directory and output the results to a text file(you can change the extension). The -e parameter is optional.

hashdeep -e -r directory_name/ > output.txt

  • -r Recursive mode
  • -e Estimate time

Recursive drive hashing

Or if you wish you can hash an entire drive.

hashdeep -r G:

  • -r Recursive mode
  • G: Name of the drive

Perform an audit using a list of known hashes (simple form)

Once you have a list of known hashes you can perform an audit of a directory to see if any changes where made.

hashdeep -r -a -k output.txt dir

  • -r Recursive mode
  • -a Audit mode
  • -k Load list of known hashes
  • output.txt File containing hashes
  • dir Name of the directory in question

For this example some files where changed, which resulted in a failed audit.

hashdeep: Audit failed

Perform an audit using a list of known hashes (advanced form)

This option will give detailed information about the audit.

hashdeep -v -r -a -k output.txt dir

  • -v Verobose mode
  • -r Recursive mode
  • -a Audit mode
  • -k Load listof known hashes
  • output.txt File containing hashes
  • dir Name of the directory in question

hashdeep: Audit failed
Files matched: 41
Files paritally matched: 0
Files moved: 0
New files found: 1
Known files not found: 1

Audit a list of known hashes and display the hash and location of those that failed to math against the list

This option will give you the name name, location, and hash of those files that failed to pass the audit.

hashdeep -r -X -v -k output.txt dir

  • -r Recursive mode
  • -X Display each failed hash that does not match the list of known hashes
  • -v Verbose mode
  • -k Load list of known hashes
  • output.txt File containing hashes
  • dir Name of the directory in question

%%%% HASHDEEP-1.0
%%%% size,md5,sha256,filename

Invoked from: C:UsersLuisDesktop

C:> hashdeep -r -X -v -k output.txt dir

##
6,dcd989387b401ac29bf44755f31c0952,5a3edf2142ffde0b2d9803d845c795c24bfdd610d2b9d68408f5207d47e11b4a,C:UsersLuisDesktopdirNew Text Document - Copy (10).txt

, , , , — May 31, 2010