NAME
md5deep - Compute and compare MD5 message digests
sha1deep - Compute and compare SHA-1 message digests
sha256deep - Compute and compare SHA-256 message digests
tigerdeep - Compute and compare Tiger message digests
whirlpooldeep - Compute and compare Whirlpool message digests
SYNOPSIS
md5deep -v | -V | -h
md5deep [-m|-M|-x|-X <file>] [-a|-A <hash>] [-p <size>] [-i <size>]
[-tnwzresS0lbkq] [-o <fbcplsd>] [FILES]
DESCRIPTION
Computes the hashes, or message digest, for any number of files while
optionally recursively digging through the directory structure. Can
also take a list of known hashes and display the filenames of input
files whose hashes either do or do not match any of the known hashes.
Errors are reported to standard error. If no FILES are specified, reads
from standard input.
-p <size>
Piecewise mode. Breaks files into chunks before hashing. Chunks
may be specified using multiplers b, k, m, g, t, p, or e.
(Never let it be said that the author didn’t plan ahead!) This
mode cannot be used with the -z mode.
-i|-I <size>
Size threshold mode. Only hash files smaller than the given the
threshold. In -i mode, simply omits those files larger than the
threshold. In -I mode, displays all files, but uses asterisks
for the hashes of files larger than the threshold. Sizes may be
specified using multiplers b, k, m, g, t, p, or e.
-r Enables recursive mode. All subdirectories are traversed. Please
note that recursive mode cannot be used to examine all files of
a given file extension. For example, calling md5deep -r *.txt
will examine all files in directories that end in .txt.
-e Displays a progress indicator and estimate of time remaining for
each file being processed. Time estimates for files larger than
4GB are not available on Windows. This mode may not be used with
th -p mode.
-m <file>
Enables matching mode. The file given should be a list of known
hashes. The input files are examined one at a time, and only
those files that match the list of known hashes are output. This
flag may be used more than once to add multiple sets of known
hashes. Acceptable formats for lists of known hashes are plain
(such as those generated by md5deep or md5sum), Hashkeeper
files, iLook, and the National Software Reference Library (NSRL)
as produced by the National Institute for Standards in
Technology.
If standard input is used with the -m flag, displays "stdin" if
the input matches one of the hashes in the list of known hashes.
If the hash does not match, the program displays no output.
This flag may not be used in conjunction with the -x, -X, or -A
flags. See the section "UNICODE SUPPORT" below.
-x <file>
Same as the -m flag above, but does negative matching. That is,
only those files NOT in the list of known hashes are displayed.
This flag may not be used in conjunction with the -m, -M, or -a
flags. See the section "UNICODE SUPPORT" below.
-M and -X <file>
Same as -m and -x above, but displays the hash for each file
that does (or does not) match the list of known hashes.
-a <hash>
Adds a single hash to the list of known hashes used for matching
mode, and if not already enabled, enables matching mode. Adding
single hashes cannot, by itself, be used to print the hashes of
matching files like the -M flag does. When used in conjunction
with the -w flag, the filename displayed is just the hash
submitted on the command line.
This flag may not be used in conjunction with the -x, -X, or -A
flags.
-A <hash>
Same as -a above, but does negative matching. This flag may not
be used in conjunction with the -m, -M, or -A flags.
-w During any of the matching modes (-m,-M,-x,or -X), displays the
filename of the known hash that matched the input file. See the
section "UNICODE SUPPORT" below.
-t Display a timestamp in GMT with each result. On Windows this
timestamp will be the file’s creation time. On all other systems
it should be the file’s change time.
-n During any of the matching modes (-m,-M,-x,or -X), displays only
the filenames of any known hashes that were not matched by any
of the input files.
-s Enables silent mode. All error messages are supressed.
-S Like silent mode, but still displays warnings on improperly
formatted hashes in the list of known hashes.
-z Enables file size mode. Prepends the hash with a ten digit
representation of the size of each file processed. If the file
size is greater than 9999999999 bytes (about 9.3GB) the program
displays 9999999999 for the size.
-q Quiet mode. File names are omitted from the output.
-0 Uses a NULL character (/0) to terminate each line instead of a
newline. Useful for processing filenames with strange
characters.
-l Enables relative file paths. Instead of printing the absolute
path for each file, displays the relative file path as indicated
on the command line. This flag may not be used in conjunction
with the -b flag.
-b Enables bare mode. Strips any leading directory information from
displayed filenames. This flag may not be used in conjunction
with the -l flag.
-k Enables asterisk mode. An asterisk is inserted in lieu of a
second space between the filename and the hash, just like md5sum
in its binary (-b) mode.
-c Enables comma separated values output, or CSV mode. This mode
has the side effect of removing the 10 digit size limitation
from -z mode. Also note that asterisks from -k mode are not
displayed when in CSV mode.
-o <bcpflsd>
Enables expert mode. Allows the user specify which (and only
which) types of files are processed. Directory processing is
still controlled with the -r flag. The expert mode options
allowed are:
f - Regular files
b - Block Devices
c - Character Devices
p - Named Pipes
l - Symbolic Links
s - Sockets
d - Solaris Doors
-h Show a help screen and exit.
-v Show the version number and exit.
-V Show copyright information and exit.
UNICODE SUPPORT
As of version 2.0 the program supports Unicode characters in filenames
on Microsoft Windows systems. Due to limitations in Windows, however,
each Unicode character is represented as a question mark (?) in the
output. Note that Unicode characters are not supported in the files
containing known hashes. You can specify a file of known hashes that
has Unicode characters in its name by using tab completition or an
asterisk (e.g. md5deep -m *.txt where there is only one file with a
.txt extension).
RETURN VALUE
Returns a bit-wise value based on the success of the operation and the
status of any matching operations.
0 Success. Note that the program considers itself successful even
when it encounters read errors, permission denied errors, or
finds directories when not in recursive mode.
1 Unused hashes. Under any of the matching modes, returns this
value if one or more of the known hashes was not matched by any
of the input files.
2 Unmatched inputs. Under any of the matching modes, returns this
value if one or more of the input values did not match any of
the known hashes.
64 User error, such as trying to do both positive and negative
matching at the same time.
128 Internal error, such as memory corruption or uncaught cycle.
All internal errors should be reported to the developer! See the
section "Reporting Bugs" below.
AUTHOR
md5deep was written by Jesse Kornblum, md5deep [at] jessekornblum [dot]
com.
KNOWN ISSUES
Using the -r flag cannot be used to recursively process all files of a
given extension in a directory. This is a feature, not a bug. If you
need to do this, use the find(1) command.
REPORTING BUGS
We take all bug reports very seriously. Any bug that jeopardizes the
forensic integrity of this program could have serious consequenses on
people’s lives. When submitting a bug report, please include a
description of the problem, how you found it, and your contact
information.
Send bug reports to: md5deep [at] jessekornblum [dot] com
COPYRIGHT
This program is a work of the US Government. In accordance with 17 USC
105, copyright protection is not available for any work of the US
Government. This program is PUBLIC DOMAIN. Portions of this program
contain code that is licensed under the terms of the General Public
License (GPL). Those portions retain their original copyright and
license. See the file COPYING for more details.
There is NO warranty for this program; not even for MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
SEE ALSO
More information and installation instructions can be found in the
README file. Current versions of both documents can be found on the
project homepage: http://md5deep.sourceforge.net/
The MD5 specification, RFC 1321, is available at
http://www.ietf.org/rfc/rfc1321.txt
The SHA-1 specification, RFC 3174, is available at
http://www.faqs.org/rfcs/rfc31.html
The SHA-256 specification, FIPS 180-2, is available at
http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
The Tiger specification is available at
http://www.cs.technion.ac.il/~biham/Reports/Tiger/
The Whirlpool specification is available at
http://planeta.terra.com.br/informatica/paulobarreto/WhirlpoolPage.html