HASH & SHA_V

PURPOSE   OPERATION   ITS ABOUT TIME   OPTIONS   COMMAND LINES   RELATED PROGRAMS    Processing Stats    64bit version stuff

One liner: Calculate hash/sha values of files.

Since the program is constantly being recompiled and adjusted (thats my term for fixed), and you wish to confirm your versions md5 and version number please don't hesitate to contact me at: dm at dmares dot com for the current version and md5 value.

GET hash.exe        THIS IS A COMMAND LINE PROGRAM
GET hash64.exe     THIS IS A COMMAND LINE PROGRAM

HASH64 NOTE:

The version of hash64 which has been recompiled and adjusted to be able to handle 64bit "stuff" is basically a beta version. This means that all the options shown here may not be available in the 64bit version. It is up to you to test and confirm that the version in the 64bit is what you need.
That being said, during the recompile, some "enhancements" we made to some of the options and the output formats. So I would advise you test and confirm the option operation before putting the 64bit version to work.

Table of Contents:
PURPOSE  Why this program was written.
OPERATION  How this program operates.
VERSIONS  Minimal description of some version updates.
64bit version stuff

ITS ABOUT TIME  Talk about the three MAC times
OPTIONS  Options available to use. Learn them well.
COMMAND LINES  Suggested command lines with options.
RELATED PROGRAMS  Programs similar, and used together for better forensics
Processing Stats  Some old sample processing stats.

Virus aficionados read this:
Some (actually only one mainline) virus programs, incorrectly identify the exe as containing a virus. If this is the case, please check the exe with other reliable virus checkers, as this mis-identification is common.

Sample Maresware Batches  an executable with data that demonstrates various Maresware software. Download and run the appropriate _03_xx batch for hash demo.

Before going any further, please review this ARTICLE   on testing and validating the completeness of your hash program.

If you are using a 64bit version, be aware that many of the newer more fine tuned options may not be available.

GET hash.exe     THIS IS A COMMAND LINE PROGRAM
GET hash64.exe     THIS IS A COMMAND LINE PROGRAM

VERSION INFORMATION

Versions updated (August 8, 2019) have the option --ADS_COMP added. See the options section for explanation of the ADS* options.

Versions after March 2019 have an option --UNICODE=filename, which will create an output log file that contains the unicode (16-bit) filename of the file processed. If you are looking at files which contain unicode filename characters, consider adding this option.

Update (May 10, 2013): When the --ADDADS is used, added the capability thru the -C comment option to have the comment added to the output data.

Update (July 8, 2011): Modified and enhanced some of the output file formats to make them more compatable with a true fixed length record output. Previously some of the alternate data stream lines were not properly padded, and needed some pre-processing to make the records a true fixed length. Now with the use of the -v options, all records are fixed length.

During June 2020, (when DST is in effect) I was playing with file dates that were both referencing January 01, 2020, and June 01, 2020. Obviously these two dates were in different GMT offset time settings, one was Eastern 4 hours, the other 5 hours off GMT. One was Daylight Saving Time, and the other was Standard time. A command prompt of DIR on the January 01, 2020 file showed a time of 08:34:

     01/01/2020  08:34 AM          0 ZERO_BYTE.TXT

64 Bit Version

The 64 bit version is almost identical to the 32 bit version. The 32 bit version should be able to process files in a 64 bit environment and the user should test both versions before any actual production use.

The only differences are that the 64 bit version has been recompiled and may run a little faster. Also, some of the options have slight modifications and the user should test each to see that it produces the correct output desired.

For instance, when creating an output file in the 64 bit version, headers and footers are defaulted in the output file. For those wishing to use the output in a process where it will be used an input to the next step, often these headers and footers must be removed to obtain "clean" data in the output file. The 64 bit version has had its output format options adjusted so the if an output log/accounting file (-1 filename) is created, then all headers and footers are eliminated from the output data file. This makes it easier to use that file in the next step of a batch or other process. Other option modifications have been made, such as the incusion of seconds in the output record when the --milli option is chosed.

Also, some options in the 64bit version have been converted/ported to be environment capable. Such as setting an environment variable for the recursion. However, this same variable may have a different setting for each program, so be aware of its setting for the particular program.: SET RECURSE=ON.

So to summarize this segment. Check and test the options chosen to see which version 32 or 64 bit you wish to use.

PURPOSE

The program HASH.exe is designed to calculate the 128 bit MD5 hash of a file using the MD5 Message-Digest Algorithm from RSA Data Security, Inc. Depending on the options chosen, the user can bypass the hashing calculation, thus providing a default catalog of every file on the disk, or it can also calculate the 32 bit CRC (CCITT) or any of the SHA (Secure Hash Algorithm) algorithms. (160, 256, 384 and 512 bit calculations.)

When running this program, and your registry key is set to allow last access date update please consider using the -R option, or RESET=ON (.ini file) for reset date so that you don't corrupt or alter the file last access date.

A sister program called HASH_LINES   is designed to provide an MD5 and SHA1 of individual lines of a text file. This is a simple command line program which only takes one item: the filename of the text file containing the lines of text to hash. The output is pipe delimeted to the screen, and it can be redirected for import to Excel or other program.

MD5:

Searching any one of these, and many related sites will give insight as the implementation and reliability of the MD5 algorithm.

http://andrew2.andrew.cmu.edu/rfc/rfc1321.html
http://www.columbia.edu/~ariel/ssleay/rfc1321.html
http://www.kashpureff.org/nic/rfcs/2200/rfc2202.txt.html
http://www.cs.auckland.ac.nz/~pgut001/cryptlib

These link(s) are excellent research pages, and included just for informational purposes.

SHA-1:

The NIST recognized SHA-1, and SHA-2 (256, 384, 512) Secure Hash Algorithm has also been implemented. Use of the (-s, -256, -384, -512 or -B) option will produce various SHA calculations instead of the MD5. The SHA calculation is the only secure hash algorithm currently recognized by NIST. However, SHA-1 is "breakable", and i say that with a grain of salt.

Important
A NIST site   which talks about SHA1 collisions.
Research site  Which has actually caused a SHA1 collision. However it says it took 9,223,372,036,854,775,808 computations. Thats a little more computing power than most have available. So personally, I think unless someone has a super computer, the SHA1 collision problem is probably safe for now.

One of the unique things about this hash program is that when run on an NTFS file system it has the capability of creating Alternate Data Streams that contain among other information, the current hash value of a file. (--ADDADS option).

You may ask, why use this option, or what would I need it for? The best answer is, to create a checkpoint at a point in time of the hash of a file. This file could be an executable you use in day to day process, or it could be an evidence file.

Then at a later date you could ask the hash program to confirm that the current hash of the file is the same it was on day one. If the hash is different, then you know that the file has changed in some way. This change may or may not be warranted or important. Maybe a virus has infected your executable, or some other unforseen occurance has altered your evidence data. Either way, wouldn't it be nice to know that the files contents have changed?

Performing hash check/validation on large numbers of files is relatively easy and can be time consuming. But everyone has that capability. However, this hash program with the --ADDADS option can check an original hash with the current hash for this file only, thus saving a lot of time.

This validation requires another option to be initiated, and I'll leave it up to you to figure which one. After all, I can't give you all the answers.

The SHA_V version has been validated by accredited labs to passing FIPS 180-3 standards for the SHA1 (160 bit) algorithm.

More information in the SHA algorithm and certification can be found at: http://csrc.ncsl.nist.gov/cryptval and http://csrc.nist.gov/cryptval/140-1/1401labs.htm

SHA-2:

Hash also currently supports NIST SHA2 versions of the Secure Hash Algorithm. There are three versions of the SHA2. There are 256, 384 and 512 bit versions. These options are appropriately implanted as: -256, -384, and -512. When using these options, the -s option may also be used, to get a full range of SHA values. A little bit of overkill.

Some "OLD" processing statistics:

Some comparable hashing programs.

md5deep written by Jesse Kornblum can be found at: http://md5deep.sourceforge.net
fsum is from slavasoft.com at: http://www.slavasoft.com/fsum/overview.htm
hash and sha_verify can be found here at maresware.com.
If I have the authorship incorrect on any of these programs, please let me know.

Program Output:

The output record is normally (unless modified by the user) a 160 character record. I am telling you this because I can't tell you how many users run an output file, then open it with an editor and call and say, I get no MD5 value. My suggestion is look to the right of the screen. Here is a sample output (wrapped at 80 characters) for your information. The bolded item is actually one output line of 160 characters.

Notable Note: If you use the -z (for zulu) on the command line, the file time is displayed in GMT time. so in this case the time since we are -4 GMT would show 10:06w GMT instead of the 06:06w EST

**************************************************************

Program started Wed Apr 12 13:52:19 2000 GMT, 09:52 Eastern Standard Time (-4)

c:\utils\ntutils\HASH.EXE wsplit.hpj -o \tmp\junk 
-------- BEGIN PROCESSING MD5 -----------

D:\TEMP\helpstuf\WSPLIT.HPJ  2DA1B0C315D7D92B42DD3F13B82D5704   173  04/09/1996  06:06w EST 
-------- END PROCESSING MD5 -----------

Processed 0 directories, 1 files, 173 bytes:

Elapsed: 0 hrs. 0 mins. 0 secs.

*****************************************************************************

Processing NOTE:

When using the -O or -a (append to an existing output file) the lines that begin with

"-------- END PROCESSING MD5 -----------"

Processed 0 directories, 1 files, 173 bytes: 
Elapsed:  0 hrs. 0 mins. 0 secs.

will only reflect those for the current run. I do not attempt to keep a running total of the number of files (entries) in the output file. It is an easy matter to figure out how many entries are in the output file, just by opening it with a good text editor, and look at the line count.

The output of the program is intended to be placed in an output file for future reference such as verification that files were not altered. This is important when certifying that file contents were not altered during forensic examination or duplication for analysis.

If a files contents was altered in any way the hash value calculated would be different from the original. The MD5 algorithm has been reviewed and tested by cryptologists and is one of the most secure. Security in this context means that no two files will ever produce the same hash value.

For documents describing the operation and reliability of the MD5 algorithm a search of the World Wide Web for MD5 will provide hundreds of sites and documentation.

The MD5 algorithm produces a 128 bit value (16 bytes, 32 printed HEX values) which guarantees (2 **128 or roughly 10 **38 ) no two files will produce the same value.

The SHA_1 algorithm produces a 160 bit balue. (20 bytes, 40 printed HEX values) which is a NIST certifiable algorithm. This alogithm produces unique values which guarantees file uniqueness.

Output ONLY the MD5. This may be needed when you wish to import the MD5 values to a forensic software package that will accept ONLY the MD5 values. However, if you run HASH, you get other items output in addition to the MD5. So you may need to extract the MD5 values for inclusion into your next process. In order to do this, I have included here for your enjoyment, a zip file containing a batch file (for you young guys thats a script) which will run hash, then run filbreak to extract out only the MD5 value. What you do with it then, is totally up to you.

OPERATION

Even though HASH is a 32 bit program it MUST be run from the command line. It will run under any of the current Windows operating systems, and there is also a Linux version that provides a virtually identicle output format.

The user provides HASH with appropriate options on the command line. Hash can run from a batch file which means, for forensic purposes it can run unattended.

Run without any options,

(C:>hash)

HASH defaults to calculate the hash values of all files in the current default directory, and all sub-directories.

The user supplies various options to modify or enhance the program operation.

If no file type is provided, the default is all files (-f *.*). If no path is provided, the current default directory (-p .) is used as a starting point, and a recursive hash is done from there. Options are available for modifying how the program searches for files.

Depending on the options supplied by the user, the program can calculate the hash of a single file

(C:>hash anyfile)

or all files in a single directory

(C:>hash -p c:\this_dir -r)

or recurse an entire disk drive, by default.

(C:>hash -p c:\)

Hash can also search for specific file types (i.e. *.exe, *.bat), or search down selected paths. More than one file type, and more than one path can be used at once.

(C:>hash -p c:\this_dir c:\that_dir -f *.exe *.bat)

or display the filetime as GMT if the -z (zulu) option is added.

(C:>hash -p c:\ -z)

The file types and paths provided by the user on the command line are used to build a matrix which HASH uses to select files. If more than one path and/or file type is listed, hash builds a matrix and incorporates all the requested file types into the search in each path.

After HASH has determined it has enough inforation, it proceeds to find all the files requested and to calculate either the MD5, 32 bit CRC or SHA of the file. It then prints the values on the screen. If an output file was requested it writes to the output file. HASH does NOT write to the hard disk unless specificially requested by the user to create an output file.

The space alloted for the output is generally maintained at a default of 40 spaces to accomodate the largest SHA-1 output. This means that if the CRC was asked for, there is a lot of empty space in the output record.

Whatever output is chosen, the chances of two dissimilar files producing the same calculated values is slim to none. Both the 128  bit (MD5 hash) and the 32 bit Checksum are secure. The 32 bit checksum will produce duplicates about 1 in 4,000,000,000. The 128 bit is not worth mentioning. None of us will live that long. (Actually the chances of a duplication are 2 **128 which is roughly about 10 ** 38); and the SHA will be 2 ** 160th which is astronomical.

The output records are fixed length records that can be imported into a data base for reference and cross matching with a later generated output. The headers must first be removed for this to occur. Or the program can be run with the -v (no verbose) option to not print the headers and footers. If the -w option is used, the output record length is altered accordingly. But for any particular set of options, the output record sizes are identicle.

Diskcat also has a capability with appropriate options to create a 32 bit Checksum, or MD5 values of the file.

File List Sources: In some instances, the user may provide a list of files that are to be hashed. This list can be derived from any number of sources that the user has available. The "list" processing is similar to the upcopy -s source_list process. The user provides a text file containing the full path of each file to hash, and the program reads that list, and performs the required functions. Since this is a late add-on option, it has not -option pneumonic. However, it is implemented with the linux style --source=listfilename option. See options below.

A NOTE of caution.

If using either version of HASH on a 32 bit OS (NT, XP, WIN9X) file system, the “LAST ACCESS” time of the file will be changed. The calculation of the hash value requires the opening of the file for reading. This means any time a hash is calculated for a file the “LAST ACCESS” time stamp is altered. If you don’t want last access time altered, use the -R* option to reset the access time. See also -t option. The preferred method of operation to capture the proper date and time, and perform the hash is a two line batch file.
(C:>hash -p c:\ -t3 -o output1)
(C:>hash -p c:\ -o output2)
The reader is encouraged to determine the functionality of these two commands.

VERY IMPORTANT NOTE:

Since the program allows the OS to reset the Last Access Time, if the user wishes to have the original access date of the file restored, then the environment variable RESET must be set, or the -R option must be used. Test the operation of the version of HASH you are using, and verify the output with MDIR.

In the 16 bit version, when run from a DOS reboot of a WIN9X system, the 16 bit version doesn’t alter the last access date of files. However, you only get the 8.3 DOS filename in the output. A tradeoff.

See ITS ALL ABOUT TIME

OUTPUT

Here is a sample of the default output to a file. Everything between the two lines of ******* (stars) is what would be contained in the output file. The output record is normally 160 characters wide (including the CR/LF) and has been shortened for clarity. It begins with the C:\TMP\.... and ends  with the Eastern Standard Time (EST/EDT:-5)

Depending on options used, the output record length is modified. However, it is always fixed in length based on the options chosen.

In some instances, the option: --NAMEAFTER, can be used to move the full path name to the end of the record. This allows the first part of the record to be fixed in length, and the last field being the name, will allow a variable length record.

*****************************************************************

Started Sat Dec 28 19:20:25 2002 GMT, 14:20 Eastern Standard Time (EST/EDT:-5)
C:\UTILS\NTUTILS\HASH.EXE sedline.txt -o junk 

 -------- BEGIN PROCESSING MD5 -----------
C:\TMP\sedline.txt   139AE24DA60488F77A251CB29A012628   34 07/03/2002 16:09w EST 
 -------- END PROCESSING MD5 -----------

 Processed 17 directories, 1 files, 34 bytes: 
 Elapsed:  0 hrs. 0 mins. 1 secs.
**************************************************************

The items in the output file are:

1: Date and time the program was run
2: The command line that was run
3: The line  ———— BEGIN MD5 HASHING ————
    indicates the beginning of the the fixed length output records
4: The output records (fixed length) made up of:
     a: file being processed (full path)
     b: MD5 hash total (40 characters + 2 blanks) (or 40 blanks)
     c: File size
     d: File date
     e: File time (including NT time type (acw) if necessary)
     f: Time zone setting. (if one is in use or set)
5: The line  ————  END MD5 HASHING  ————
     indicates the end of the fixed length outputs
6: A line indicating how many files were processed.

The lines ----- BEGIN and ----- END ... are inserted so the users can easily identify the files processed. The ending parts (line 5 and 6) are removed for each time the file is appended to.

If comparisons against other runs need to be done, the files should could be compared in a data base environment. The program HASHCMP has been specially designed to compare output files created by the HASH program.

A suggestion on how to use this program

Create a reference output file of all the programs on the disk. At a later date, create a second output file, and compare the 1st and 2nd using the HASHCMP program. If changes occurred, take action.

Here is a sample batch file to accomplish the above.

@echo off
rem  To obtain a reference file or a test file
rem  replace the -p C:\TOP_LEVEL  with a correct top level path of the source
rem  replace the REFERENCE.TXT with an output filename
rem  the first run should probably be a reference and
rem  the next run should probably be a testing run

hash -p C:\TOP_LEVEL -w 350 -v -d "|" -AT3 -8840E -r -o REFERENCE.TXT

rem NOW to find hash matched or mismatched, run one of the following commands
rem you don't need all of them
rem assume REFERENCE.TXT is the first hash set, and
rem TEST.TXT is the 2nd hash set
rem if you don't have hashcmp64, use hashcmp
rem hashcmp64 has a higher file limit of 1.5 million

rem hashcmp64  REFERENCE.TXT  TEST.TXT  -d 360  -l  32  -x > DIFF_FILES.TXT
rem hashcmp64  REFERENCE.TXT  TEST.TXT  -d 360  -l  32  -x -1 > FILES_ON_1_NOT_ON2.TXT
rem hashcmp64  REFERENCE.TXT  TEST.TXT  -d 360  -l  32  -x -2 > FILES_ON_2_NOT_ON1.TXT
rem if you want an output compatable with excell, use the -o option
rem hashcmp64  REFERENCE.TXT  TEST.TXT  -d 360  -l  32  -x    -o DIFF_FILES.TXT
rem hashcmp64  REFERENCE.TXT  TEST.TXT  -d 360  -l  32  -x -1 -o FILES_ON_1_NOT_ON2.TXT
rem hashcmp64  REFERENCE.TXT  TEST.TXT  -d 360  -l  32  -x -2 -o FILES_ON_2_NOT_ON1.TXT

and a batch file to calculate SHA values, and then search the output for suspect values
using search.exe

hash -p unix -256 -v -o 256bit_hashes -w 255 -d "|"  -1 logfile -C CPU01


rem  -p unix  == top level path to start at. could be c:\
rem  -256     == run the 256 SHA
rem  -v       == do not put headers on the file
rem  -o filename  == choose an output file, use -O uppercase to append
rem  -w 255   == make pathname in output 255 characters,
rem  -d "|"   == delimit output record
rem  -1 logfilename   == create an accounting file to reference later
rem  -C  CPU01 == add comment before record to identify which computer is source

rem  check the output file, and make sure no alternate data streams were hashed
rem  as they sometimes corrupt the record length.


search 256bit_hashes junkout search.par



rem  search.par contains the "parameters" about the file to be searched
rem  in the above example, the total record length and blocksize is the 
rem  1st two lines.
rem  lines 3 and 4 are important, could from 0 and set the displacement 
rem  length of the 256 bit field.
rem  don't blink. this program kicks speed ass.


rem  SAMPLE search.par to go with above script
rem  482
rem  482
rem  305
rem  64
rem  95769AB74AB2C629CCCCBB13830A7CC888E7799F1661E50ED75392A48A65D095
rem  3BA97265EF60FB613D0C2BE603765553E028B4E18E1657F88DC89DB125753975
rem  add as many sha values as you want.

ITS ABOUT TIME

If you were viewing from CRCKIT, BACK to CRCKIT
If you were viewing from DISKCAT BACK to DISKCAT

Windows file times are maintained using three different values. There is the “Creation Time” (when the file was originally created or written to that disk media), the “Last Write Time” (last time the file was written/modified), and the “LAST ACCESS DATE/TIME” (last time the file was accessed).

For FAT32 file systems, for the last access date and time field, only the date is maintained. The last access time on FAT32 file systems is always 00:00. Assume all references to WIN9x and NTFS take this into consideration.

Prior to Windows Vista and subsequent versions, when a file was touched/opened, the last access date was altered. With the advent of Vista and future versions Windows had the last access date update turned off by default. By checking and setting the appropriate registry key, the last access date update can be turned on.
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
Name: NtfsDisableLastAccessUpdate
Type: REG_DWORD
Value: 1
A value of 1 turns last access off. Value of 0, sets last access update.
There are some other links to date/time articles at this page:

BUT BE ADVISED THAT REGARDLESS OF THE SETTING OF THE KEY, PROGRAMS CAN ALTER THE LAST ACCESS UPDATE AT WILL. THE DEFAULT PARAMETER IS MERELY A GUID THAT WINDOWS USES TO SET ITS MAC DATE/TIMES.

Prior to Vista et al., almost every application that opens a file for reading changes the “LAST ACCESS” time of the file. This means if you use a program that merely “views” the contents of the file, you may very well be altering the “LAST ACCESS TIME” of the file. If this is a major concern, and in some investigations the last access time could be very important, determine before hand whether the particular application alters the access time. (You may use the 32 bit version of MDIR to verify file time alterations.) At the very least, you will be altering that part of the disk where the last access time is stored. (The windows TYPE, MORE, and PRINT commands, OutsideIn, Quick View Plus and many others all alter access times). Unless you have tested and confirmed otherwise, assume all programs alter last access time.

If you use CRCKIT, HASH, or (DISKCAT with the -h or crc option) the last access time is changed by the operating system every time the program is run. (the HASH -t3 option does not open files, and thus is the only hash option that doesn’t change the access times).

If you want to have the program attempt to RESET the last access time back to its original value, you can do it in one of two ways. The first way is to use the -R option. The -R option tells the program to attempt to reset the last access time to the original value before the program ran. This will be accomplished successfully on all files except those “LOCKED” by the operating system. Those files are traditionally the system files. They can never have their last access time reset.

The second way is to set an environment variable called RESET. (set RESET=1) If the program detects the RESET variable, it will always attempt to reset the access time to its original value. This is identicle to the -R option.

Setting/resetting the last access time could have evidentiary consequences, and the user should be certain that a sound explanation is available.

After the file has been opened and the calculation has been made, if the -R (RESET) option is set, the file times will be maintained and not altered. However, there are some concerns:

1. Even though the last access time is reset to the original before the program examined the file, the program is technically changing the disk. The disk is first changed by the operating system to set a current last access time and then the -R causes the program to reset the file time to the original. The ultimate effect is no change in substance (value of “LAST ACCESSS TIME” is as it was before the program was run ). However, the disk has actually been changed twice. Once by the system, and once by the program.

2. If the file being looked at is a system type file (in use by the operating system) or if the file has a readonly attribute set, then the program cannot replace the original file access time, and the new one, set by the operating system is used. This definitely produces a change in the last access time. Again the program has no control over this. It is the operating system which sets the time. The program does however produce a message on the screen that it cannot reset the file time. So the user will be able to determine which files have had times changed.

Some examples of how NTFS treats different operations.

                    Affect on:
Operation:       Access  Create  Write

COPY (source)      +       -      -
COPY (dest.)       +       +      *  (write time of the source is used)
PRINT              +       -      -
MSWORD (save)      +       +      +
MSWORD (print)     +       -      -  (close without alteration)
Quick View Plus    +       -      -
DIR (FILE MANAGER) -       -      -

The last access date for FAT32 file sysytems only maintains the date of access and not the time.

The last access time of NTFS file systems is updated only in hour increments. This means you could access a file three times within one hour, but only one time update would occur. (Microsoft could change this at any time, so do your proper due diligence when this is an important factor.)

When working with the 32 bit operating systems you should familiarize yourself thoroughly with the consequences and side effects of altering file times when using any programs that open/view or copy files.

Also you should take note of the CMOS time settings on the suspect computer with regard to time zone settings, Daylight Savings time settings, and the local time the computer is maintaining. Some of these setting can be altered/set within the autoexec.bat of the suspect computer. Any or all of these settings affect the way the file times are displayed on your forensic machine if the settings are not identicle.

This is not an absolute, just a caution. For this reason, HASH and CRCKIT have options (-Z[ulu]) to "normalize" the times from local to UTC/GMT. If you are dealing with many computers from different time zone sites than your own, you might want to deal with GMT. This should eliminate any differences in machine settings. All of this is with the caveat that the suspects machine originally had a time set that was reasonably accurate for his/her time zone. I suggest the investigator check out time anomolies on files created on differing systems.

DON'T FORGET:

Any read/open/view etc. of the file by almost any program WILL BE ALTERING THE HARD DISK, AND EVIDENCE.

If you were viewing from CRCKIT, BACK to CRCKIT
If you were viewing from DISKCAT, BACK to DISKCAT

else

 Usage: hash    -[options]

-p + path(s):                paths to search.   -p  c:\windows  f:\evidence
-f + filespec:               files to search    -f  *.jpg  *.gif *.xyz
--source=listfilename:       file containing fullpaths of files to hash.
-x + filespec:               e(x)clude, do not process these files.       -x  *.exe *.dll

-oO + filename:              Output file name. (uppercase O==Overwrite)   -o  f:\case_x\hashes.txt
-oO + YY[YYMMDDhhmmss[=:]literal_text]: output filename with todays date
-a:                          append output filename. Same as upperase     -O outputfile
-d + “delimeter”:            for pipe delimeter:  (pipe delimeter)       -d "|"

-r:                          DO NOT recurse the directory. Default is program recurses the -p path.
--norecurse:                 Turns off (do not) recurse tree.

--recurse:                   Recurse tree. (this is the default)

-P, -P[=nn]:                 Pause screen output after every 20 lines, or nn lines for larger screens.

-w + #:                      Set filename width to # characters.         -w  120
-V:                          Make output file variable fields. Pipe delimeter automatic.
--variable:                  Make output file variable fields. Pipe delimeter automatic.
-M:                          AUTO-ADJUST filename width to longest found. 
-i:                          Proceed immediately. This negates the -M option.

--showlong:                  Process only files with path over 260 characters
--showlong=xx:               Process only files with path >= xx characters.

-1 + filename:               file which will contain accounting/log information. -1  logfilename.txt

--NAMEAFTER:                 Place filename at end of the record.        ABCD1234   path\filename.xyz 

--sequence[=####]:           Add a sequence number before each output record.
-v:                          Silent run. NO VERBOSE accounting to screen. 
--NOHEADER:                  Silent run. NO VERBOSE, do not print headers in output. 

-N:                          Provide in the output only the path/filename. NO hash calculation or dates/sizes
-n:                          Strip the path from the filename, and list only the filename itself, NO calculations done.
-8:                          Add the DOS 8.3 filename to the end of the record.
-88:                         Add the uppercase Long File Name to the end of the record. 
-88xx:                       Add xx wide filename to end of record.

--UNICODE=unicode_filename:  Output file with unicode names. Not plain text
-C + "comment":              Add a "comment" to the beginning of every record.    CASE#1234 |  filename | MD5.... 
-C + COMPUTERNAME[[xx]=xx]:  Modified -C option. Literal COMPUTERNAME comment section(see below)

-s:                          Produce ONLY SHA1, 160 bit SHA output.
-B:                          Produce Both the MD5 and SHA of a file.
-256:                        Include the 256 bit SHA2 calculation. 
-384:                        Include the 384 bit SHA2 calculation.
-512:                        Include the 512 bit SHA2 calculation. 
-c:                          Produce ONLY the 32 bit CRC output instead of MD5 hash.
-A:                          Produce MD5 and ALL three (3) file times.
 
-g + #:                      files greater than or equal ">=" # days old.              -g 100   (days)
--older=#:                   files greater than or equal # days old.                   --older=100
--older=yyyy-mm-dd:          files greater than or equal # days old.                   --older=2021-10-01
-g + yyyy-mm-dd[acw]:        files before this date, (YYYY-MM-DD preferred format)     -g 2021-01-01

-l + #:                      files less than or equal "<=" # days old (ell, not one),  -l 100  (days)
--newer=#:                   files less than or equal # days old,                      --newer=100
--newer=yyyy-mm-dd[acw]:     files less than or equal this date,                       --newer=2021-10-10
-l + yyyy-mm-dd[acw]:        files less than or equal this date, (YYYY-MM-DD preferred format) -l 2021-10-10

-t[acw3]:                    Show this/these times. Access, Create, M(w)modify, all 3, -ta displays: 10-20-2019
-T[acw3]:                    Show this/these times. Access, Create, M(w)modify, all 3, -Ta displays: 2019-10-30
-t0:                         DO NOT display file times.
--reverse=on:                Reverse time display to YYYY-MM-DD, same as -T, 2012-30-30

-R:                          Reset (access) file times to original 
--reset:                     Reset (access) file times. May or may not work, depending on the OS being used.
--noreset:                   Allow OS to reset last access to current time.

-z: --zulu: --GMT:           Display times in GMT/Zulu time zone. ini: ZULU=ON  
--ZULU=OFF:                  Use to turn off GMT time when ini ZULU=ON is found
--MILLI:                     Add milliseconds to time.      10-30-2012  12:34:56:789

-L + #:                      Files less than this size      -L 10000   (bytes)
--lessthan=#:                Files less than this size      --lessthan=10000
--smaller=#:                 Files less than this size      --smaller=10000
-G + #:                      Files greater than this size   -G 10000    bytes)
--bigger=#:                  Files greater than this size   --bigger=10000
--greater=#:                 Files greater than this size   --greater=100000

--ADDADS:                    Adds an Alternate Data Stream (NTFS only) containing hash value to the file.
--ADS_COMP:                  Compares current hash (NTFS only) to that in the --ADDADS previous alternate data stream (--ADDADS) file.
                             NOTE: it is suggested you also use the --ADSONLY so only files with ADS are processed.

--ADSONLY:                   Process ONLY files containing (NTFS only) Alternate Data Streams.
--NO_ADS, --NOADS, --NO-ADS: DO NOT include the Alternate Data Streams (NTFS only) .
-S, --stream:                DO NOT include the Alternate Data Streams (NTFS only) .
-D #[,#]:                    (upper case -D). start processing # bytes in from file, for [,#] this many bytes.

-S:  If the file system is NTFS, this option causes all Alternate Data Stream files to NOT be processed also. (hash -S ) DO NOT show data streams. [STREAM=[ON|OFF]]

Hash calculation options: (-s -A -B -c -256 -384 -512) Default option is MD5 128 bit for HASH, and -s (SHA1 160bit) for SHA_V.

With most of the hash calculation options, they can be combined to include multiple calculations. In most cases, the MD5 is defaulted to be included with other choices. (except the -s option, see -B option below) Try each combination to find the one thats right for you.

If you want ONLY the MD5 value in the output, you must run the MD5.exe program with the --ONLYMD5 option. The MD5 value only output is needed for many forensic suites to include the MD5 values in their tests.

-s:  produce the 160 bit SHA output instead of the 128 bit MD5 hash. (Default in SHA_V program)

-B:  produce Both the MD5 and SHA of a file. (This option available only for 32 bit version.)

-256:  produce the 256 bit SHA2 calculation. (not compatible with default MD5 128 bit)

-384:  produce the 384 bit SHA2 calculation. (not compatible with default MD5 128 bit)

-512:  produce the 512 bit SHA2 calculation. (not compatible with default MD5 128 bit)

-c:  produce a 32 bit CRC output instead of the 128 bit MD5 hash.

-A:  This is a very special option. It causes the hash to be computed, and also includes all three (3) file date/times in the output. The original access date is captured and maintained in the output record even though after the hash calculation is preformed, the current access date is modified. This output record is very large (over 180 characters wide). This option also includes in the output record the file attributes. In effect, if gives you almost everything you would want to know about the file (except the file type based on header). (THIS OPTION IS ONLY AVAILABLE IN THE 32 BIT VERSION)

Note: The use of -256, -384, -512, will provide each of the calculations. If you wish to get both the MD5 and SHA1 the -B option is implemented for this. If you want to add the three file times, the -A (for ALL times) is implemented for this. -AB option will provide 128 bit, 160 bit and 3 file times.

--older=YYYY-MM-DD[acw]
--newer=YYYY-MM-DD[acw]:
Process only those files whose date is (g)reater (older) than or (l)ess than (newer) than this YYYY-MM-DD date. The date should be in the form YYYY-MM-DD. It MUST have two digit month and days (leading 0 if necessary), and it MUST have a 4 digit year. The date given YYYY-MM-DD is included in the calculation.

-g + #
-g + 09-01-2023
-l + #
-l + 03-01-2022
Where the # is replaced by a number indicating: list all files ‘g’reater than # days old.
If you use the MM-DD-YYYY format, notice the required format, MM first, etc.
You can use a -gl pair to bracket file ages. [OLDER]=50, [NEWER]=10

-L + #:  Where the # is replaced by a number indicating, list all files less than # bytes in size. (hash -L 100000) [LESSTHAN=xxx]

-G + #:  Where the # is replaced by a number indicating, list all files greater than # bytes in size. You can use a -GL pair to bracket file sizes. (hash -G 10000) (hash -G 10000 -L 100000) [GREATER]=10000

-P     Pause after every 20 lines is default. Adjust number of lines using (=nn), (ie: -P=45). ini format:(hash -P ) PAUSE=[ON|OFF|nn]
--pause[=nn]:   Pause every 20 lines default, or adjust to nn lines for larger screens, --pause=65.

-d + “delimeter”:   replace “delimeter” with a delimeter (typically a pipe ‘|’ ) within double quotes with which to delimet fields. If the delimeter is not printable, use its decimal ascii value but don’t place it it quotes. (hash -o output.txt -d “|”) [DELIMETER=xx]

-w + #:  Change the default width of the filename from 38 to whatever value you wish. If you have long filenames, this may be necessary to accomodate the entire name. If a filename longer than 38 is used, the output tends to be more than one line long. Usually a -w 160 will suffice to get all but the most extreme long file names. (hash -w 150) [WIDTH=xx]

-M:  When doing the pre-scan (see -i option) of the drive to count the number of files, also calculate the (-M)aximum number of characters needed for the longest filename, and treat it as if the -w # option was used. This automatically sets the -w option to the correct value. The -o option is also mandatory if this -M is used. The -M option only works when an output file -o is also called for. No reason to adjust the path length if printing to the screen.

-i:  mmediate; Start processing the files 'i'mmediately. DO NOT take time to pre-scan (-M option) to find the longest filename for output. -i and -M are mutually exclusive.

MAC TIME SELECTIONS

-[Tt][AaCcWw3]     Show the file time as last ‘a’ccessed; last ‘w’ritten; ‘ c’reated; or show all ‘3’. If the AC or W is uppercase, then the milliseconds is added to the filetime. No spaces between the -t and the modifier. ( -tc or -TC or -t3 ) Default is the ‘ w’rite, which is identical to what DIR or Explorer displays. If the T, is upper case, then the date, MM/DD/YYYY is reversed to read YYYY/MM/DD. If the option -T3, is ended with a perdiod (.), (-T3.) Then the item is prefaced with a single quote ('), ('YYYY/MM/DD), '2013/01/01. This single quote keeps Excel from interpreting the item as a date, and reversing the item to MM/DD/YYYY. It eliminates the Excel import step of choosing this field as a text string.

.ini options
[TIME]=[A|C|W|3],
[ALLTIMES]=]ON|OFF] [ZULU=ON]

NOTE NOTE NOTE If the -t3 option is used by itself (without any hash option) then ONLY the times are shown. This is a quick default way of obtaining a listing of the files. No hashing is done, unless you include one of the calculation options, like -B -A -256 etc. Test test test.

Some of the options (-sAB 256, 384, 512) may conflict in logic with the -t3 and -t0 options. If a -t3 is used, the default is to NOT perform any hashing. Use this to perform a simple catalog without changing file access dates. To obtain all three times, and an MD5 hash, you should use the -A option which will ALWAYS override the -t3 and insert the MD5. To add an SHA1, use include the -B (both MD5 and SHA1). The inclusion of the -B elicits only a single time, even if the -t3 is used. To get three times when using the -B, you must also use the -A which add the times. The logic here is somewhat convoluted, but the matrix is hard to design. The user should test the options.

[TIME=[A|C|W|3]], [ALLTIMES=[ON|OFF]]

-Z:  Display time in ‘Z’ULU UTC/GMT format. The letters GMT will be at the end of the output line indicating such. Use GMT to get relative references especially when dealing with 2 or more time zones. See note below on time zones: (hash -z) [ZULU=[ON|OFF]],

--ZULU=OFF:   If ini ZULU=ON is set this option turns it off.

-m:  Show file last write (-modified) date. Same as -tw option. (-m) [MILITARY]=[ON|OFF]

-N:  Provide in the output only the path/filename and the calculation. No dates, times or file sizes are included.

-n:  Strip the path from the filename, and list only the filename itself. NO HASHING is done. A quick and dirty way of only listing filenames. DOES NOT include ADS filenames.

-8:  Add the DOS 8.3 filename to the end of the record.

-88:  Add the uppercase Long File Name to the end of the record. This option strips the LFN from the path listing of the first field, and places only the LFN at the end of the record. The default length is a 75 character field. (Note: the -8 and -88 options are mutually exclusive. Use one or the other).

-88xx{eE]:  Replace the xx with a value. This value will now determine how wide the Long File Name field will be. The default LFN length for hash is 25 characters.

Use of the upper case 'E' will cause the filename field to contain only the filename up to and NOT including the dot extension. This is to be compatable with some of the extracts from FTK and X-Ways when the filename field is extracted. (ie: MYFILE.DOT is listed as MYFILE) The 6 character extension field is still included.

Use of the lower case 'e' will cause the filename field to contain the full filename which includes the extension. This is to be compatable with some of the extracts from FTK and X-Ways when the filename field is extracted.(ie: MYFILE.DOT is listed as MYFILE.DOT) The 6 character extension field is still included.

-R:  Reset file last access time. (hash -R), better to set the .ini RESET=ON so that you don't inadvertently alter the last access date.

-v:
--NOHEADER:   NO VERBOSE. Do not print normal column headings above numbers. This provides cleaner screen output for redirection to a file. This can also be accomplished by settting an environment variable called silent to ON. (set SILENT=ON). The SILENT environment variable is used by crckit also. The output at this point is ready for import into a data base. [SILENT=[ON|OFF]]

-D xx: This is the standard default format of the -D option. It will start processing the file xx bytes from the beginning. The xx offset is counted from 1. It then processes the rest of the file. If you need to process only a portion of the file, use the modified version of the -D option below.

-D xx[,XX]: supercedes the basic -D option. This option takes a lot of practice.
Use this option to process only a part of a file. This option will start processing the file at the xx byte of the file, and process this many XX bytes of the file.
The xx value counts from byte 1, -D 1,xx (xx=process this many)

--source=listfilename:  Provide a list of files to hash in the file identified by the name: listfilename. One filename per line. The filename must contain the complete path of the file to hash. The program reads the text file one line at a time and processes that file. There should be a blank line at the end to indicate no more files to process.

--NAMEAFTER:  The --NAMEAFTER option, moves the fullpath name of the file from the first field, to the last field. Thus allowing for a pseudo variable length record. If the -V option is also used, then a true variable length record is achieved.

--MATCH:  The --MATCH option to match hashes against a reference file is not implemented in this program. However, it is implemented in the MD5 version. See the options section.

The following options relating to Alternate Data Stream processes are only available to process files residing on NTFS file systems. If you need an explanation why, you probably shouldn't be reading this.

WARNING WARNING WARNING Will Robinson

Be aware the if you use the --ADDADS option to create and then use the --ADS_COMP option to verify the current hash there may be a glitch in your process if:
After you create the initial alternate data stream you or someone in some way uses a program (maybe an editor or viewer) which may create a temporary copy, and when closing, renames the temporary copy to the original name. This probably only occurs if the program actually edited or changed the content of the file you are examing. If you think about what just happened, you created a new file (without the ADS signature) and then renamed to the original. Thus, this newly renamed file will NOT have that original (or any other) alternate data streams that were attached to the original filename.

In my limited testing so far, this has only happened with one editor. But be aware of the possibility.

--ADDADS[=P]:  (6/1/2019) The --ADDADS option adds an alternate data stream (with a fixed name of: :ads_hash.txt) to whichever file is being hashed. The contents of the added data stream are (on seperate lines). If the --zulu option is added, then the MAC times in the ADS are converted and identified appropriately. Each time the --ADDADS option is used, the alternate data stream is added to. So hashes, and dates/times can be seen in the timeline. See below, two runs of the same file.

The comment of the -C option (if -C used)
the original filename, 
filesize,
hash value, 
the three MAC dates/times. 

C:DRIVE_VOLUME_NAME: OSDisk
COMPUTER:  DMLAPTOP
Current Time|2019-08-30|19:25:03|GMT|
NAME:      D:\WORK\UNICODE\HASH_U\Release\hash.htm
Size:      60383
HASH:      8E7556E01E893408B9DCB0F14FEFBEDB
Modified:  2019/08/11 15:14:57
Accessed:  2019/08/30 15:10:37
Created:   2019/08/11 06:56:42
-----------
C:DRIVE_VOLUME_NAME: OSDisk
COMPUTER:  DMLAPTOP
Current Time|2020-01-26|21:27:22|GMT|
NAME:      D:\WORK\UNICODE\HASH_U\Release\hash.htm
Size:      60383
HASH:      8E7556E01E893408B9DCB0F14FEFBEDB
SHA512:    46806FC6C6B11319C67808A886AE82FD... shortened here for display
Modified:  2019/08/11 19:14:57  GMT
Accessed:  2019/09/18 19:59:54  GMT
Created:   2019/08/11 10:56:42  GMT
-----------

Y:\TMP\junk\hash.exe|208584|FCD5C782BF703A2718BB51375888A16F|2011/02/10M|12:34:33M|2011/02/04A|06:37:42A|2011/02/04C|06:37:42C

--ADS_COMP:    This option is used after a run has been made using the --ADDADS option which will create an Alternate Data stream file filename:ads_hash.txt containing information about the parent file. The ads_hash.txt file contains among other things the MD5 HASH of the original file. At a later time, to verify that the original file was not altered, run the program and add this --ADS_COMP option. This will hash the parent file, and read the ads_hash.txt alternate date stream file associated with parent. It will find the MD5 HASH line in the file and see if the original MD5 and the current MD5 are identicle. It will show its output to the screen or place the result in the output file (if -O is used). command line: hash -f parent.xxx --ADS_COMP
Because this option is designed to check and validate the ADS's added which contain original MD5 and SHA values, it is strongly suggested that you also use the --ADSONLY option. This way, those files WITHOUT the appropriate hash ADS will not be processed and thus not be included as superfluous files.

--ADSONLY:  (6/1/2019) The --ADSONLY is used to show and hash ONLY those files which contain an Alternate Data Stream. This option is also available in the diskcat.exe program.
Use it with caution when adding it along with the --ADDADS option. As the two may conflict with each other, and should be considered mutually exclusive.

Time Zones

If you are using the 32 bit version in a DOS box, the time zone is properly displayed at the end of the record.

C:\WORK\PUBLISH\HASH.DOC 
 AC38FF51EAAF04739B0F7FCCB7001762        4697  03/31/1995  12:12:28w EST

This is provided your OS has been properly set up to the correct time zone. This is accomplished in the control panel under the date/time icon.

However, if you are using the 16 bit version either from a DOS boot, or in a DOS box, you must set a TZ environment variable to tell the program the proper time zone. Otherwise it will always respond with a time zone of PST. To set the TZ variable use something like:

SET TZ=EST4EDT

Or whatever time zone is applicable. If you don't know what an environment variable is, or don't know how to set it, you will have to do your own research.

COMMAND LINES

c:>hash c:\ -o a:c_drive
Do hash of files for entire C: drive.

c:>hash c:\work
Do all files in path C:\work with recursion.

c:>hash c:\work -r -S
do C:\work path without recursion (-r), DO NOT process Alternate Data Streams (-S), default without -S ADS's are hashed.

c:>hash c:\work\*.c
do C:\work path with for all *.c files (add -r for no recursion)

c:>hash c:\work -n
do C:\work printing only filename. Similar to a simple name listing of files. DOES NOT INCLUDE ANY PATHS.

c:>hash c:\work -t0
do C:\work and include hash and size, no dates included.

c:>hash c:\work -w 30
do C:\work limit printing of filename/path to 30 characters.

c:>hash *.c -c
add the CRC32 to the output including the MD5 of all *.c files

c:>hash -p . -f *.* -v -o outputfile -w 300 -1 logfilename -AT3 -d "|" --milli --GMT
This is the most verbose of all the commands

-p .    start at current location 
-f *.*  hash all the files
-v      do NOT place headers/footers in output. this makes it clean for next process
-o      outputfile   name of the output file
-w  300 make the output path length a fixed 300 characters. usually large enough for most trees.
-1  logfilename    the name of the file containing the log/accounting info.
-AT3    create the hash value, and include all three file times in YYYY/MM/DD order.
--mill  add milliseconds to any time value
--GMT   show time in GMT time.
-d  "|" make the output pipe delimited for future processing.

By default the HASH program produces an excellent fixed length output record of the entire file listing (catalog) of a disk drive. This is useful for cataloging files on drives. Delimeters can be inserted (-d option) between the fields of the output record so importation into wannabe data bases can be achieved.

Hash can calculate the hash value for a single file, for files in an entire directory, files in an entire path, or files on an entire logical drive, or drives. Specific file types can be excluded from the calculation with the -X filetypes.* ...  option.

The calculation of hash values of files have a number of different uses.

The hash of a file can be used as a verification of the state of a file at a certain time. Similar hash values mean the files are identicle. Different hash values mean the files have differences. These similarities or differences can have uses in forensic verification, virus detection, file authenticity and others. Some people use a hash library to see if a file is the same as its original schrink wrapped version.

UNC capable: sample command line and output

C:>hash -p \\OFFICE\Z\work\unicode\base -f b*.c 

\\OFFICE\Z\work\unicode\base\OLD_C\BASE.C       312F6A19E9D24B13FFAF029597F0F817     57857 03/14/2018 14:17:13:154w EST  A......
\\OFFICE\Z\work\unicode\base\OLD_C\Base2.c      FE8D6A886343BEACED0E5A901E191F08     58543 03/14/2018 14:17:13:154w EST  A......
\\OFFICE\Z\work\unicode\base\OLD_C\Base_u.c     A81DAC449095D2EF030EEC483936858C     77439 04/28/2019 16:28:41:281w EST  A......

RELATED PROGRAMS

CRCKIT Performs CRC 32 bit calculations.

DISKCAT Creates accurate catalog of files.

DISK_CRC Outdated: create crc of physical disk.

HASHCMP Compares values in two different hash runs.

MD5 Alternate output format of MD5 values.

Top 

hash_test.zip   contains a batch file that demonstrates a number of ways to perform hash matches using a number of maresware software including: hashcmp, compare, disksort, total. They are all included in this zip file.

SHA2 Copyright:

The SHA2 code implemented in this program was modified from code written by:

AUTHOR:Aaron D. Gifford <me@aarongifford.com>
Copyright (c) 2000-2001, Aaron D. Gifford All rights reserved.
Redistribution and use in source and binary forms, with or without modification are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. Neither the name of the copyright holder nor the names of contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Top