PURPOSE OPERATION ITS ABOUT TIME OPTIONS COMMAND LINES RELATED PROGRAMS Processing Stats 64bit version stuff
One liner: Calculate hash/sha values of files for evidence integrity and discovery needs.
Since the program is constantly being recompiled and adjusted (thats my term for fixed), and you wish to confirm your versions md5 and version number please don't hesitate to contact me at: dm at dmares dot com for the current version and md5 value.
Food For thought
1. Initial Evidence HASH Catalog: Who doesn't hash initial evidence?? Use hash to create an initial hash listing of the files on your suspect system.
2. HASH the Work Directory: When performing your examination, create routine hashes of your work files for retention and validation.
3. Discovery HASH List: Create a useable and (spreadsheet compatable) listing of all the hash values you are supplying for discovery purposes.
4. HASH stored evidence: Hash the evidence you place in long term storage, (or short term). To acertain no alterations from shelf life.
5. Hidden ADS HASH: This is so much of an evidentiary item, I'll let you research it.
GET hash.exe THIS IS A COMMAND LINE PROGRAM
GET hash64.exe THIS IS A COMMAND LINE PROGRAM
HASH64 NOTE:
The version of hash64 which has been recompiled and adjusted to be able to handle 64bit "stuff" is basically a beta
version. This means that all the options shown here may not be available in the 64bit version. It is up to you to test
and confirm that the version in the 64bit is what you need.
That being said, during the recompile, some "enhancements" we made to some of the options and the output formats. So I
would advise you test and confirm the option operation before putting the 64bit version to work.
Table of Contents:
PURPOSE Why this program was written.
OPERATION How this program operates.
VERSIONS Minimal description of some version updates.
64bit version stuff
ITS ABOUT TIME Talk about the three MAC times
OPTIONS Options available to use. Learn them well.
COMMAND LINES Suggested command lines with options.
RELATED PROGRAMS Programs similar, and used together for better forensics
Processing Stats Some old sample processing stats.
Virus aficionados read this:
Some (actually only one mainline) virus programs, incorrectly identify the exe as containing a virus. If
this is the case, please check the exe with other reliable virus checkers, as this mis-identification
is common.
Sample Maresware Batches an executable with data that demonstrates various Maresware software. Download and run the appropriate _03_xx batch for hash demo.
Before going any further, please review this ARTICLE on testing and validating the completeness of your hash program.
If you are using the 64bit version, be aware that many of the newer more fine tuned options may not be available.
GET hash.exe THIS IS A COMMAND LINE PROGRAM
GET hash64.exe THIS IS A COMMAND LINE PROGRAM
NOTE: These (hash, diskcat, and upcopy) command line programs WILL process files with long filenames ( > 255 characters) which is seen more and more in modern file systems. If you are using other hashing software, you should test its capability to process long filenames. (I have found a significant number of popular stand alone hashing programs have not been updated sufficiently to handle long filenames). I have tested a number of command line and GUI hashing and forensic copy programs. Some cannot process long filenames at all. Others can only find and process a single file at a time. Not very useful in forensics. And others may be able to find a file thru the GUI, but can't do a recursion. So I urge anyone who is planning on using a hashing program on current filesystem, please check the capability of your program on the filesystem you intend on using it on. I have a created a .rar file which contains a number of test files and a batch file to test some of the capabilities. This rar file is linked via the diskcat help file.
Hash will display a message at the end of the run which indicates whether the last access date update of the OS is either turned on or off. If the program is one which would normally open and process a file, the -R option (in most cases) will attempt to reset the last access date/time to its original after the file has been processed. The ini file line: RESET=ON may also be used to tell the program to attempt a time reset. Again, most programs tested DO NOT reset last access date after opening and processing a file. This could be problematic when testifying as to why your "forensic" software altered evidentiary dates.
Versions updated (August 8, 2019) have the option --ADS_COMP added. See the options section for explanation of the ADS* options.
Versions after March 2019 have an option --UNICODE=filename, which will create an output log file that contains the unicode (16-bit) filename of the file processed. If you are looking at files which contain unicode filename characters, consider adding this option.
Update (May 10, 2013): When the --ADDADS is used, added the capability thru the -C comment option to have the comment added to the output data.
Update (July 8, 2011): Modified and enhanced some of the output file formats to make them more compatable with a true fixed length record output. Previously some of the alternate data stream lines were not properly padded, and needed some pre-processing to make the records a true fixed length. Now with the use of the -v options, all records are fixed length.
During June 2020, (when DST is in effect) I was playing with file dates that were both referencing January 01, 2020, and June 01, 2020. Obviously these two dates were in different GMT offset time settings, one was Eastern 4 hours, the other 5 hours off GMT. One was Daylight Saving Time, and the other was Standard time. A command prompt of DIR on the January 01, 2020 file showed a time of 08:34:
01/01/2020 08:34 AM 0 ZERO_BYTE.TXTNotice the time referenced 08:34 AM. However, when I looked at the time using Windows Explorer the time was displayed as: 07:34 AM. An hour difference. Mr Watson, something was amiss. I realized that because I was operating during June which was a different GMT offset than January (4 as opposed to 5 in January), the DIR command wasn't properly compensating for the 1 hour difference between DST and Standard times. The current (older version of hash) was not adjusting for the time difference either, just as DIR wasn't adjusting. So, I made a modification (fixed the operational challenge) in HASH to properly adjust for the one hour GMT offset difference. Now (as of 6-6-2020) the version of HASH properly displays the local times. If you use the --GMT or --zulu options, the GMT time has always been displayed properly. And as a seasoned forensicator (thats you, I think), you probably should always use GMT times, for consistancy. Top
The 64 bit version is almost identical to the 32 bit version. The 32 bit version should be able to process files in a 64 bit environment and the user should test both versions before any actual production use.
The only differences are that the 64 bit version has been recompiled and may run a little faster. Also, some of the options have slight modifications and the user should test each to see that it produces the correct output desired.
For instance, when creating an output file in the 64 bit version, headers and footers are defaulted in the output file. For those wishing to use the output in a process where it will be used an input to the next step, often these headers and footers must be removed to obtain "clean" data in the output file. The 64 bit version has had its output format options adjusted so the if an output log/accounting file (-1 filename) is created, then all headers and footers are eliminated from the output data file. This makes it easier to use that file in the next step of a batch or other process. Other option modifications have been made, such as the incusion of seconds in the output record when the --milli option is chosed.
Also, some options in the 64bit version have been converted/ported to be environment capable. Such as setting an environment variable for the recursion. However, this same variable may have a different setting for each program, so be aware of its setting for the particular program.: SET RECURSE=ON.
So to summarize this segment. Check and test the options chosen to see which version 32 or 64 bit you wish to use.
The program HASH.exe is designed to calculate the 128 bit MD5 hash of a file using the MD5 Message-Digest Algorithm from RSA Data Security, Inc. Depending on the options chosen, the user can bypass the hashing calculation, thus providing a default catalog of every file on the disk, or it can also calculate the 32 bit CRC (CCITT) or any of the SHA (Secure Hash Algorithm) algorithms. (160, 256, 384 and 512 bit calculations.)
When running this program, and your registry key is set to allow last access date update please consider using the -R option, or RESET=ON (.ini file) for reset date so that you don't corrupt or alter the file last access date.
A sister program called HASH_LINES is designed to provide an MD5 and SHA1 of individual lines of a text file. This is a simple command line program which only takes one item: the filename of the text file containing the lines of text to hash. The output is pipe delimeted to the screen, and it can be redirected for import to Excel or other program.
MD5:
Searching any one of these, and many related sites will give insight as the implementation and reliability of the MD5 algorithm.
http://andrew2.andrew.cmu.edu/rfc/rfc1321.html
http://www.columbia.edu/~ariel/ssleay/rfc1321.html
http://www.kashpureff.org/nic/rfcs/2200/rfc2202.txt.html
http://www.cs.auckland.ac.nz/~pgut001/cryptlib
These link(s) are excellent research pages, and included just for informational purposes.
SHA-1:
The NIST recognized SHA-1, and SHA-2 (256, 384, 512) Secure Hash
Algorithm has also been implemented. Use of the (-s, -256, -384, -512
or -B) option will produce various SHA calculations instead of the MD5.
The SHA calculation is the only secure hash algorithm currently
recognized by NIST. However, SHA-1 is "breakable", and i say that with a grain of salt.
Important
A NIST site which talks about SHA1 collisions.
Research site Which has actually caused a SHA1 collision. However it says it
took 9,223,372,036,854,775,808 computations. Thats a little more computing power than most have available. So personally,
I think unless someone has a super computer, the SHA1 collision problem is probably safe for now.
One of the unique things about this hash program is that when run on an NTFS file system it has the capability of creating Alternate Data Streams that
contain among other information, the current hash value of a file. (--ADDADS option).
You may ask, why use this option, or what would I need it for?
The best answer is, to create a checkpoint at a point in time of the hash of a file. This file could be an executable you use in day to day process, or it
could be an evidence file.
Then at a later date you could ask the hash program to confirm that the current hash of the file is the same it was on day one. If the hash is different,
then you know that the file has changed in some way. This change may or may not be warranted or important. Maybe a virus has infected your executable, or
some other unforseen occurance has altered your evidence data. Either way, wouldn't it be nice to know that the files contents have changed?
Performing hash check/validation on large numbers of files is relatively easy and can be time consuming. But everyone has that capability. However, this
hash program with the --ADDADS option can check an original hash with the current hash for this file only, thus saving a lot of time.
This validation requires another option to be initiated, and I'll leave it up to you to figure which one. After all, I can't give you all the answers.
The SHA_V version has been validated by accredited labs to passing FIPS 180-3 standards for the SHA1 (160 bit) algorithm.
More information in the SHA algorithm and certification can be found at: http://csrc.ncsl.nist.gov/cryptval and http://csrc.nist.gov/cryptval/140-1/1401labs.htm
SHA-2:
Hash also currently supports NIST SHA2 versions of the Secure Hash Algorithm. There are three versions of the SHA2. There are 256, 384 and 512 bit versions. These options are appropriately implanted as: -256, -384, and -512. When using these options, the -s option may also be used, to get a full range of SHA values. A little bit of overkill.
TopSome comparable hashing programs.
md5deep written by Jesse Kornblum can be found at: http://md5deep.sourceforge.net
fsum is from slavasoft.com at:
http://www.slavasoft.com/fsum/overview.htm
hash and sha_verify can be found here at maresware.com.
If I have the authorship incorrect on any of these programs, please let
me know.
The output record is normally (unless modified by the user) a 160 character record. I am telling you this because I can't tell you how many users run an output file, then open it with an editor and call and say, I get no MD5 value. My suggestion is look to the right of the screen. Here is a sample output (wrapped at 80 characters) for your information. The bolded item is actually one output line of 160 characters.
Notable Note: If you use the -z (for zulu) on the command line, the file time is displayed in GMT time. so in this case the time since we are -4 GMT would show 10:06w GMT instead of the 06:06w EST
**************************************************************
Program started Wed Apr 12 13:52:19 2000 GMT, 09:52 Eastern Standard Time (-4)
c:\utils\ntutils\HASH.EXE wsplit.hpj -o \tmp\junk -------- BEGIN PROCESSING MD5 ----------- D:\TEMP\helpstuf\WSPLIT.HPJ 2DA1B0C315D7D92B42DD3F13B82D5704 173 04/09/1996 06:06w EST -------- END PROCESSING MD5 -----------
Processed 0 directories, 1 files, 173 bytes:
Elapsed: 0 hrs. 0 mins. 0 secs.
*****************************************************************************
Processing NOTE:
When using the -O or -a (append to an existing output file) the lines that begin with
"-------- END PROCESSING MD5 -----------"
and the statistics on the bottom of the page are removed so the additional hash values can be added. Because of this, the final processing statisticsProcessed 0 directories, 1 files, 173 bytes: Elapsed: 0 hrs. 0 mins. 0 secs.
will only reflect those for the current run. I do not attempt to keep a running total of the number of files (entries) in the output file. It is an easy matter to figure out how many entries are in the output file, just by opening it with a good text editor, and look at the line count.
The output of the program is intended to be placed in an output file for future reference such as verification that files were not altered. This is important when certifying that file contents were not altered during forensic examination or duplication for analysis.
If a files contents was altered in any way the hash value calculated would be different from the original. The MD5 algorithm has been reviewed and tested by cryptologists and is one of the most secure. Security in this context means that no two files will ever produce the same hash value.
For documents describing the operation and reliability of the MD5 algorithm a search of the World Wide Web for MD5 will provide hundreds of sites and documentation.
The MD5 algorithm produces a 128 bit value (16 bytes, 32 printed HEX values) which guarantees (2 **128 or roughly 10 **38 ) no two files will produce the same value.
The SHA_1 algorithm produces a 160 bit balue. (20 bytes, 40 printed HEX values) which is a NIST certifiable algorithm. This alogithm produces unique values which guarantees file uniqueness.
Top
Output ONLY the MD5. This may be needed when you wish to import the MD5 values to a forensic software package that will accept ONLY the MD5 values. However, if you run HASH, you get other items output in addition to the MD5. So you may need to extract the MD5 values for inclusion into your next process. In order to do this, I have included here for your enjoyment, a zip file containing a batch file (for you young guys thats a script) which will run hash, then run filbreak to extract out only the MD5 value. What you do with it then, is totally up to you.
TopEven though HASH is a 32 bit program it MUST be run from the command line. It will run under any of the current Windows operating systems, and there is also a Linux version that provides a virtually identicle output format.
The user provides HASH with appropriate options on the command line. Hash can run from a batch file which means, for forensic purposes it can run unattended.
Run without any options,
(C:>hash)
HASH defaults to calculate the hash values of all files in the current default directory, and all sub-directories.
The user supplies various options to modify or enhance the program operation.
If no file type is provided, the default is all files (-f *.*). If no path is provided, the current default directory (-p .) is used as a starting point, and a recursive hash is done from there. Options are available for modifying how the program searches for files.
Depending on the options supplied by the user, the program can calculate the hash of a single file
(C:>hash anyfile)
or all files in a single directory
(C:>hash -p c:\this_dir -r)
or recurse an entire disk drive, by default.
(C:>hash -p c:\)
Hash can also search for specific file types (i.e. *.exe, *.bat), or search down selected paths. More than one file type, and more than one path can be used at once.
(C:>hash -p c:\this_dir c:\that_dir -f *.exe *.bat)
or display the filetime as GMT if the -z (zulu) option is added.
(C:>hash -p c:\ -z)
The file types and paths provided by the user on the command line are used to build a matrix which HASH uses to select files. If more than one path and/or file type is listed, hash builds a matrix and incorporates all the requested file types into the search in each path.
After HASH has determined it has enough inforation, it proceeds to find all the files requested and to calculate either the MD5, 32 bit CRC or SHA of the file. It then prints the values on the screen. If an output file was requested it writes to the output file. HASH does NOT write to the hard disk unless specificially requested by the user to create an output file.
The space alloted for the output is generally maintained at a default of 40 spaces to accomodate the largest SHA-1 output. This means that if the CRC was asked for, there is a lot of empty space in the output record.
Whatever output is chosen, the chances of two dissimilar files producing the same calculated values is slim to none. Both the 128 bit (MD5 hash) and the 32 bit Checksum are secure. The 32 bit checksum will produce duplicates about 1 in 4,000,000,000. The 128 bit is not worth mentioning. None of us will live that long. (Actually the chances of a duplication are 2 **128 which is roughly about 10 ** 38); and the SHA will be 2 ** 160th which is astronomical.
The output records are fixed length records that can be imported into a data base for reference and cross matching with a later generated output. The headers must first be removed for this to occur. Or the program can be run with the -v (no verbose) option to not print the headers and footers. If the -w option is used, the output record length is altered accordingly. But for any particular set of options, the output record sizes are identicle.
Diskcat also has a capability with appropriate options to create a 32 bit Checksum, or MD5 values of the file.
File List Sources: In some instances, the user may provide a list of files that are to be hashed. This list can be derived from any number of sources that the user has available. The "list" processing is similar to the upcopy -s source_list process. The user provides a text file containing the full path of each file to hash, and the program reads that list, and performs the required functions. Since this is a late add-on option, it has not -option pneumonic. However, it is implemented with the linux style --source=listfilename option. See options below.
A NOTE of caution.
If using either version of HASH on a 32 bit OS (NT, XP, WIN9X) file
system, the “LAST ACCESS” time of the file will be changed. The
calculation of the hash value requires the opening of the file for
reading. This means any time a hash is calculated for a file the “LAST
ACCESS” time stamp is altered. If you don’t want last access time
altered, use the -R* option to reset the access
time. See also -t option. The preferred method
of operation to capture the proper date and time, and perform the hash
is a two line batch file.
(C:>hash -p c:\ -t3 -o output1)
(C:>hash -p c:\ -o output2)
The reader is encouraged to determine the functionality of these two
commands.
VERY IMPORTANT NOTE:
Since the program allows the OS to reset the Last Access Time, if the user wishes to have the original access date of the file restored, then the environment variable RESET must be set, or the -R option must be used. Test the operation of the version of HASH you are using, and verify the output with MDIR.
In the 16 bit version, when run from a DOS reboot of a WIN9X system, the 16 bit version doesn’t alter the last access date of files. However, you only get the 8.3 DOS filename in the output. A tradeoff.
TopHere is a sample of the default output to a file. Everything between the two lines of ******* (stars) is what would be contained in the output file. The output record is normally 160 characters wide (including the CR/LF) and has been shortened for clarity. It begins with the C:\TMP\.... and ends with the Eastern Standard Time (EST/EDT:-5)
Depending on options used, the output record length is modified. However, it is always fixed in length based on the options chosen.
In some instances, the option: --NAMEAFTER, can be used to move the full path name to the end of the record. This allows the first part of the record to be fixed in length, and the last field being the name, will allow a variable length record.
*****************************************************************
Started Sat Dec 28 19:20:25 2002 GMT, 14:20 Eastern Standard Time (EST/EDT:-5)
C:\UTILS\NTUTILS\HASH.EXE sedline.txt -o junk
-------- BEGIN PROCESSING MD5 -----------
C:\TMP\sedline.txt 139AE24DA60488F77A251CB29A012628 34 07/03/2002 16:09w EST
-------- END PROCESSING MD5 -----------
Processed 17 directories, 1 files, 34 bytes:
Elapsed: 0 hrs. 0 mins. 1 secs.
**************************************************************
The items in the output file are:
1: Date and time the program was run 2: The command line that was run 3: The line ———— BEGIN MD5 HASHING ———— indicates the beginning of the the fixed length output records 4: The output records (fixed length) made up of: a: file being processed (full path) b: MD5 hash total (40 characters + 2 blanks) (or 40 blanks) c: File size d: File date e: File time (including NT time type (acw) if necessary) f: Time zone setting. (if one is in use or set) 5: The line ———— END MD5 HASHING ———— indicates the end of the fixed length outputs 6: A line indicating how many files were processed.
The lines ----- BEGIN and ----- END ... are inserted so the users can easily identify the files processed. The ending parts (line 5 and 6) are removed for each time the file is appended to.
If comparisons against other runs need to be done, the files should could be compared in a data base environment. The program HASHCMP has been specially designed to compare output files created by the HASH program.
A suggestion on how to use this program
Create a reference output file of all the programs on the disk. At a later date, create a second output file, and compare the 1st and 2nd using the HASHCMP program. If changes occurred, take action.
Here is a sample batch file to accomplish the above.
@echo off rem To obtain a reference file or a test file rem replace the -p C:\TOP_LEVEL with a correct top level path of the source rem replace the REFERENCE.TXT with an output filename rem the first run should probably be a reference and rem the next run should probably be a testing run hash -p C:\TOP_LEVEL -w 350 -v -d "|" -AT3 -8840E -r -o REFERENCE.TXT rem NOW to find hash matched or mismatched, run one of the following commands rem you don't need all of them rem assume REFERENCE.TXT is the first hash set, and rem TEST.TXT is the 2nd hash set rem if you don't have hashcmp64, use hashcmp rem hashcmp64 has a higher file limit of 1.5 million rem hashcmp64 REFERENCE.TXT TEST.TXT -d 360 -l 32 -x > DIFF_FILES.TXT rem hashcmp64 REFERENCE.TXT TEST.TXT -d 360 -l 32 -x -1 > FILES_ON_1_NOT_ON2.TXT rem hashcmp64 REFERENCE.TXT TEST.TXT -d 360 -l 32 -x -2 > FILES_ON_2_NOT_ON1.TXT rem if you want an output compatable with excell, use the -o option rem hashcmp64 REFERENCE.TXT TEST.TXT -d 360 -l 32 -x -o DIFF_FILES.TXT rem hashcmp64 REFERENCE.TXT TEST.TXT -d 360 -l 32 -x -1 -o FILES_ON_1_NOT_ON2.TXT rem hashcmp64 REFERENCE.TXT TEST.TXT -d 360 -l 32 -x -2 -o FILES_ON_2_NOT_ON1.TXT
and a batch file to calculate SHA values, and then search the output for suspect values using search.exe hash -p unix -256 -v -o 256bit_hashes -w 255 -d "|" -1 logfile -C CPU01 rem -p unix == top level path to start at. could be c:\ rem -256 == run the 256 SHA rem -v == do not put headers on the file rem -o filename == choose an output file, use -O uppercase to append rem -w 255 == make pathname in output 255 characters, rem -d "|" == delimit output record rem -1 logfilename == create an accounting file to reference later rem -C CPU01 == add comment before record to identify which computer is source rem check the output file, and make sure no alternate data streams were hashed rem as they sometimes corrupt the record length. search 256bit_hashes junkout search.par rem search.par contains the "parameters" about the file to be searched rem in the above example, the total record length and blocksize is the rem 1st two lines. rem lines 3 and 4 are important, could from 0 and set the displacement rem length of the 256 bit field. rem don't blink. this program kicks speed ass. rem SAMPLE search.par to go with above script rem 482 rem 482 rem 305 rem 64 rem 95769AB74AB2C629CCCCBB13830A7CC888E7799F1661E50ED75392A48A65D095 rem 3BA97265EF60FB613D0C2BE603765553E028B4E18E1657F88DC89DB125753975 rem add as many sha values as you want.Top
If you were viewing from CRCKIT, BACK to CRCKIT
If you were viewing from DISKCAT BACK to DISKCAT
Windows file times are maintained using three different values. There is the “Creation Time” (when the file was originally created or written to that disk media), the “Last Write Time” (last time the file was written/modified), and the “LAST ACCESS DATE/TIME” (last time the file was accessed).
For FAT32 file systems, for the last access date and time field, only the date is maintained. The last access time on FAT32 file systems is always 00:00. Assume all references to WIN9x and NTFS take this into consideration.
Prior to Windows Vista and subsequent versions, when a file was touched/opened, the
last access date was altered. With the advent of Vista and future versions
Windows had the last access date update turned off by default.
By checking and setting the appropriate registry key, the last access
date update can be turned on.
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
Name: NtfsDisableLastAccessUpdate
Type: REG_DWORD
Value: 1
A value of 1 turns last access off. Value of 0, sets last access update.
There are some other links to date/time articles at this
page:
BUT BE ADVISED THAT REGARDLESS OF THE SETTING OF THE KEY, PROGRAMS CAN ALTER THE LAST ACCESS UPDATE AT WILL. THE DEFAULT PARAMETER IS MERELY A GUID THAT WINDOWS USES TO SET ITS MAC DATE/TIMES.
Prior to Vista et al., almost every application that opens a file for reading changes the “LAST ACCESS” time of the file. This means if you use a program that merely “views” the contents of the file, you may very well be altering the “LAST ACCESS TIME” of the file. If this is a major concern, and in some investigations the last access time could be very important, determine before hand whether the particular application alters the access time. (You may use the 32 bit version of MDIR to verify file time alterations.) At the very least, you will be altering that part of the disk where the last access time is stored. (The windows TYPE, MORE, and PRINT commands, OutsideIn, Quick View Plus and many others all alter access times). Unless you have tested and confirmed otherwise, assume all programs alter last access time.
If you use CRCKIT, HASH, or (DISKCAT with the -h or crc option) the last access time is changed by the operating system every time the program is run. (the HASH -t3 option does not open files, and thus is the only hash option that doesn’t change the access times).
If you want to have the program attempt to RESET the last access time back to its original value, you can do it in one of two ways. The first way is to use the -R option. The -R option tells the program to attempt to reset the last access time to the original value before the program ran. This will be accomplished successfully on all files except those “LOCKED” by the operating system. Those files are traditionally the system files. They can never have their last access time reset.
The second way is to set an environment variable called RESET. (set RESET=1) If the program detects the RESET variable, it will always attempt to reset the access time to its original value. This is identicle to the -R option.
Setting/resetting the last access time could have evidentiary consequences, and the user should be certain that a sound explanation is available.
After the file has been opened and the calculation has been made, if the -R (RESET) option is set, the file times will be maintained and not altered. However, there are some concerns:
1. Even though the last access time is reset to the original before the program examined the file, the program is technically changing the disk. The disk is first changed by the operating system to set a current last access time and then the -R causes the program to reset the file time to the original. The ultimate effect is no change in substance (value of “LAST ACCESSS TIME” is as it was before the program was run ). However, the disk has actually been changed twice. Once by the system, and once by the program.
2. If the file being looked at is a system type file (in use by the operating system) or if the file has a readonly attribute set, then the program cannot replace the original file access time, and the new one, set by the operating system is used. This definitely produces a change in the last access time. Again the program has no control over this. It is the operating system which sets the time. The program does however produce a message on the screen that it cannot reset the file time. So the user will be able to determine which files have had times changed.
Some examples of how NTFS treats different operations.
a (+) plus sign means this time is altered, and is usually the current time, a (-) minus sign means the time is left as is, the (*) means the write time of the source file is maintained on this new file.Affect on:
Operation: Access Create Write
COPY (source) + - -
COPY (dest.) + + * (write time of the source is used)
PRINT + - -
MSWORD (save) + + +
MSWORD (print) + - - (close without alteration)
Quick View Plus + - -
DIR (FILE MANAGER) - - -
The last access date for FAT32 file sysytems only maintains the date of access and not the time.
The last access time of NTFS file systems is updated only in hour increments. This means you could access a file three times within one hour, but only one time update would occur. (Microsoft could change this at any time, so do your proper due diligence when this is an important factor.)
When working with the 32 bit operating systems you should familiarize yourself thoroughly with the consequences and side effects of altering file times when using any programs that open/view or copy files.
Also you should take note of the CMOS time settings on the suspect computer with regard to time zone settings, Daylight Savings time settings, and the local time the computer is maintaining. Some of these setting can be altered/set within the autoexec.bat of the suspect computer. Any or all of these settings affect the way the file times are displayed on your forensic machine if the settings are not identicle.
This is not an absolute, just a caution. For this reason, HASH and CRCKIT have options (-Z[ulu]) to "normalize" the times from local to UTC/GMT. If you are dealing with many computers from different time zone sites than your own, you might want to deal with GMT. This should eliminate any differences in machine settings. All of this is with the caveat that the suspects machine originally had a time set that was reasonably accurate for his/her time zone. I suggest the investigator check out time anomolies on files created on differing systems.
DON'T FORGET:
Any read/open/view etc. of the file by almost any program WILL BE ALTERING THE HARD DISK, AND EVIDENCE.
If you were viewing from CRCKIT,
BACK to CRCKIT
If you were viewing from DISKCAT,
BACK to DISKCAT
else
TopUsage: hash -[options]
At least 1 initial file or path is recommended. For additional paths or filetypes use -p and/or -f options. If only a file name used, current default path is used, and recursed from there.
This program is INI capable. INI keywords in [BOLD]
Important item to remember when naming the ini files. Each program has an embedded internal filename
built into the exe, and is associated with the exe. For instance the hash program has an internal name of hash.exe. When it
searches for an ini file it ONLY searches for one named hash.ini (or for a line in the maresware.ini
with the subsection [HASH]. If you rename the executable to hash_xyz.exe and can't figure out
why some options are still being installed, it is because the program is still finding an ini
file named hash.ini and processing its contents. If you wish for hash_xyz to NOT process any
ini contents, then you MIUST rename the hash.ini to something incosequential, like: hashini.
This way the program cannot match its internal name: HASH with any current ini file.
First thing to consider: the command line options take precedence over the INI settings. So a similar but different setting option on the command line would be the one used. IE: if the command line had -TW (for write time), and the INI file had TIME=3 (meaning show all three times), the only one being shown would be the last write time, based on the command line option. That is item one to know about.
INI settings are used in conjunction with command line arguments. The INI settings, like most programs will take effect for the program. However, there are up to four INI files (two diskcat.ini, and two maresware.ini) which can be in two places at once, but only one of the files takes effect, which is very important as to the priority of the execution. Study this priority well and practice.
First off: the INI file located in the directory from which the program is run, will take effect. So if the program is run from say: c: \tmp\diskcat.exe, the the c:\tmp\diskcat.ini contents would be used, if no c:\tmp\diskcat.ini, then c:\tmp\maresware.ini is looked for and executed. Again: If there is no c:\tmp\diskcat.ini in place, then if there was a generic c:\tmp\maresware.ini (which is generic for all maresware programs) then the c:\tmp\maresware.ini would be used. If neither is found, then no INI file is processed.
Now comes the sticky part. Suppose the system path is set to run all the maresware programs from say: c:\generic_system_files and there is a diskcat.ini and a maresware.ini in that location. You have placed all the maresware.exe programs also in that folder, and it is pathed in the environment. set path=%path%;c:\generic_system_files;Following is a sample diskcat.ini file with most, if not all, the approprate keywords that diskcat will recognize.
The only difference between a specific program.ini (ie: diskcat.ini) and the generic maresware.ini is that in the maresware.ini each
program has its own section identified by [square brackets] beginning the program ini options. So a generic maresware.ini might have two
sections, one for diskcat and one for hash as seen here
[DISKCAT]
TIME=3
MILLI=ON
WIDTH=100
[HASH]
WIDTH=200
TIME=W
RESTORE=ON
[UPCOPY]
RESTORE=ON
Notice how the program sections were seperated/identified by the program name in [BRACKETS]
All options should be preceded by a (-) minus sign. Some can be grouped together, and others where specified MUST be grouped without a space. The options are grouped where approriate.
DO NOT include the + sign or the colon (:) in you command line. The + sign is used to indicate that this option takes a modifier or additional information.
Some options because they deal with specific 32 bit items like MDS or file times are only active in the 32 bit version running on an appropriate file system.
-p + path(s): paths to search. -p c:\windows f:\evidence -f + filespec: files to search -f *.jpg *.gif *.xyz --source=listfilename: file containing fullpaths of files to hash. -x + filespec: e(x)clude, do not process these files. -x *.exe *.dll -oO + filename: Output file name. (uppercase O==Overwrite) -o f:\case_x\hashes.txt -oO + YY[YYMMDDhhmmss[=:]literal_text]: output filename with todays date --margin=xx: Add xx spaces at beginning of line for easier read -a: append output filename. Same as upperase -O outputfile -d + “delimeter”: for pipe delimeter: (pipe delimeter) -d "|" -r: DO NOT recurse the directory. Default is program recurses the -p path. --norecurse: Turns off (do not) recurse tree. --recurse: Recurse tree. (this is the default) --recurse=ON: Recurse tree. sets recurse to default --recurse=OFF: DO NOT Recurse -P, -P[=nn]: Pause screen output after every 20 lines, or nn lines for larger screens. -w + #: Set filename width to # characters. -w 120 -V: Make output file variable fields. Pipe delimeter automatic. --variable: Make output file variable fields. Pipe delimeter automatic. -M: AUTO-ADJUST filename width to longest found. -i: Proceed immediately. This negates the -M option. --showlong: Process only files with path over 260 characters --showlong=xx: Process only files with path >= xx characters. -1 + filename: file which will contain accounting/log information. -1 logfilename.txt --NAMEAFTER: Place filename at end of the record. ABCD1234 path\filename.xyz --sequence[=####]: Add a sequence number before each output record. -v: Silent run. NO VERBOSE accounting to screen. --NOHEADER: Silent run. NO VERBOSE, do not print headers in output. -N: Provide in the output only the path/filename. NO hash calculation or dates/sizes -n: Strip the path from the filename, and list only the filename itself, NO calculations done. -8: Add the DOS 8.3 filename to the end of the record. -88: Add the uppercase Long File Name to the end of the record. -88xx: Add xx wide filename to end of record. --UNICODE=unicode_filename: Output file with unicode names. Not plain text -C + "comment": Add a "comment" to the beginning of every record. CASE#1234 | filename | MD5.... -C + COMPUTERNAME[[xx]=xx]: Modified -C option. Literal COMPUTERNAME comment section(see below) -s: Produce ONLY SHA1, 160 bit SHA output. -B: Produce Both the MD5 and SHA of a file. -256: Include the 256 bit SHA2 calculation. -384: Include the 384 bit SHA2 calculation. -512: Include the 512 bit SHA2 calculation. -c: Produce ONLY the 32 bit CRC output instead of MD5 hash. -A: Produce MD5 and ALL three (3) file times. TIME - AGING OPTIONS -g=#[acw]: files greater than or equal ">=" # days old. [w is default, else ac needed] -g=100c (equal= sign mandatory) (days) -g=YYYY-MM-DD[acw]: files before this date, (YYYY-MM-DD preferred format) -g=2021-01-01 (equal= sign mandatory) --older=#[acw]: files greater than or equal # days old. --older=100 (equal= sign mandatory) --[older|before]=YYYY-MM-DD[acw]:files greater than or equal # days old. --older=2021-10-01, --before=2022-01-01 (equal= sign mandatory) -l=#[acw] files less than or equal "<=" # days old (ell, not one), [w is default, else ac needed] -l=100a (equal= sign mandatory) -l=YYYY-MM-DD[acw]: files less than of equal this date, (YYYY-MM-DD preferred format) -l=2021-10-10 (equal= sign mandatory) --newer=#[acw]: files less than or equal # days old. 'w'rite is default --newer=100 (equal= sign mandatory) --[newer|after|younger]=YYYY-MM-DD[acw]: files less than or equal this date, --newer=2021-10-10, younger=2022-01-01 (equal= sign mandatory) NOTE NOTE NOTE: the 'W'rite time is defaulted for both -l (less than days) and -g (greater than days). if you wish other, like last 'a'ccess or 'c'reate you need to add it -l=5a, -g=5c else it won't work. Don't confuse the -ta for listing/display only the access time, with -l=5a for acces date testing. TIME - DISPLAY OPTIONS -t[acw3]: show this/these times. Access, Create, M(w)modify, all 3, -ta displays: 10-20-2019 -T[acw3]: show this/these times in YYYY first. Access, Create, M(w)modify, all 3, -Ta displays: 2019-10-30 -t0: DO NOT display file times. -z: --zulu: --GMT: Display times in GMT/Zulu time zone. ini: ZULU=ON --ZULU=OFF: Use to turn off GMT time when ini ZULU=ON is found -R: Reset (access) file times to original --reset: Reset (access) file times. May or may not work, depending on the OS being used. --noreset: Allow OS to reset last access to current time. -z: --zulu: --GMT: Display times in GMT/Zulu time zone. ini: ZULU=ON --ZULU=OFF: Use to turn off GMT time when ini ZULU=ON is found --MILLI: Add milliseconds to time. 10-30-2012 12:34:56:789
FILESIZE OPTIONS -L + #: Files less than this size -L 10000 (bytes) --lessthan=#: Files less than this size --lessthan=10000 --smaller=#: Files less than this size --smaller=10000 -G + #: Files greater than this size -G 10000 bytes) --bigger=#: Files greater than this size --bigger=10000 --greater=#: Files greater than this size --greater=100000 --ADDADS: Adds an Alternate Data Stream (NTFS only) containing hash value to the file. --ADS_COMP: Compares current hash (NTFS only) to that in the --ADDADS previous alternate data stream (--ADDADS) file. NOTE: it is suggested you also use the --ADSONLY so only files with ADS are processed. --ADSONLY: Process ONLY files containing (NTFS only) Alternate Data Streams. --NO_ADS, --NOADS, --NO-ADS: DO NOT include the Alternate Data Streams (NTFS only) . -S, --stream: DO NOT include the Alternate Data Streams (NTFS only) . -D #[,#]: (upper case -D). start processing # bytes in from file, for [,#] this many bytes.
War and Peace Version of Options
-p + path(s): If more than one directory is needed to be looked at, then add the paths here as appropriate. (hash -p c:\windows d:\work) [PATH=path]
-f + filespec: If more than one file type is needed, add them here. (hash -f *.c *.obj *.dll) [FILES=filetype]
If these options are used, the program builds a matrix of paths and file types. It searches all the requested directories for all the requested file types. Thus giving a total of all the files in all the paths requested. These options are added to any default command line provided. (C:>hash c:\work\*.c -f *.dll -p d:\windows)
-x + filespec: e(x)clude these file types from listing. Maximum of 100 file types accepted. (same format as -f option) (hash -f *.* -x thesefiles.txt) [EXCLUDE=filetype]
-r: DO NOT recurse the tree. Default is to recurse the -p path/tree/directory.
-oO + filename: Output file name. Place the output to a filename. If uppercase ‘O’ then existing output is appended to. (hash -o outputfile.txt) [OUTPUT=filename]
-oO + [OUTPUTNAME]YY[YYMMDDhhmmss][=:][OUTPUTNAME][Gg]:
This format allows the output file to be easily be identified as to when it was created. The addition of the YY.... format causes
the output file to be named with current date/time based on the mask used, and a .txt extension is added unless user
includes extention in the mask name. If this format is used, the -a append option is automatic and the -v no verbose is also
automatic.
This option has a number of variations. Read and test profusely. You do know how to do that, don't you.
The basic idea is to create an output filename with the date and time (depending on which YYYYMM.. etc) the program was run. The
user can also add a textual filename either preceeding or after the generated date-time output name. The format for this output
filename creation is convoluted.
Output file default format contains headers and footers in the output file. Which may cause problems when trying to import
the data to the next step. If you wish to eliminate the headers/footers, you must create an log file using the -1 option
as explained below.
If you use (include) the preceeding [NAME] text then the name provided is "prepended" to the date string created. (see below for
the trailing filename format). With specific additions of an actual NAME the output name can be modified to have a leading
textual name.
If the trailing "filename format" (not recommened without extreme testing) is included as part of the output name, you must
use either the "=" or ":" delimeter in the trailing mask or else it is ignored. The minimum is that the YY be the first
item. Then you can add additional modifiers to refine the output name. This option is especially helpful when you are creating
the catalogs with batch scripts run periodically. Then depending on the mask used, the output filename will reference the date
and time of the run. The modifiers are case dependentant, and add the following:
--PNAME: (minus minus - - PNAME) If using the above YY... format, you can also prepend to the output filename the actual name of
the program being run. So that if you use --PNAME when running hash, the name HASH will preceed the filename such as:
hash -o YYYYMMDDhhmmss=NAME --PNAME yields program name before, and filename after
HASH_20231111_102025NAME.txt
There are probably other variations of the date inclusion. But I'm tired of adding them.
--UNICODE=unicode_filename: This option opens and creates file of the name used as unicode_filename. If file exists, IT IS ALWAYS OVERWRITTEN. It is independent of the -o options when creating output files. This option causes an additional output file (which is always overwritten, so if it exists, copy the current output to a safe place) to be created with minimal information and is written to a file which has the correct unicode characters representing the filename. It also contains the filesize, dates and times, and if chosen, the MD5 and SHA values. It is pipe (|) delimeted without headers. This output should only be examined using as editor that can properly interpret true little endian 16 bit unicode characters. This option is similar to the --UNICODE=... option found in upcopy and hash programs.
-a: append output to filename provided in -o option. Serves same purpose as using an upper case O. (hash -a appended_to_output_filename.txt) [APPEND=[ON|OFF]]
-1 + filename (That's a one, not an ell). The filename here is a
file which will contain accounting/log information about the run. It is always appended to,
and contains the command line plus statistics about how many files and time of run. The file
can later be used as a batch file for duplicating the runs.
Using the -1 logfile option removes the headers and footers from the output file allowing it to be easily reprocessed in
the next step.
The ACCT environment variable can also be set. (SET ACCT=logfilename). Or use the .INI option
[ACCT=filename]
The order of priority is: Environment, INI file, Command Line option. To explicity turn it off use a
+1. (diskcat -1 c:\tmp\logfilename.txt)
-C + "comment" Add a "comment" to the beginning of every record. This is very useful when ultimaely merging many outputs from different locations or for different cases. The comment can uniquely identify the sources of the hash values. Example, (-C SUSPECT_CPU#1). The resulting output records would look something like this: (hash -o outputfile.txt -C SUSPECT_CPU#1)
-C + COMPUTERNAME[[xx]=xx] A special version of the -C option. If the literal COMPUTERNAME (all uppercase) is used, then the program will find the name of the computer and insert it there. This is kind of like a wildcard subsitution. The user can let the system decide what to put there. This can then uniquely identify the source computer of the hash values. Example, (-C COMPUTERNAME). The resulting output records would look something like this: "CPU-2_ATLANTA C:\WINNT\....\filename etc.". If the xx or the =xx is replaced by a numeric value, then the computer name field is made this many characters wide. (-C COMPUTERNAME20, or -C COMPUTERNAME=20) becomes: "CPU-2_ATLANTA C:\WINNT\....\filename etc.". The =xx version is preferred.
-S: If the file system is NTFS, this option causes all Alternate Data Stream files to NOT be processed also. (hash -S ) DO NOT show data streams. [STREAM=[ON|OFF]]
Hash calculation options: (-s -A -B -c -256 -384 -512) Default option is MD5 128 bit for HASH, and -s (SHA1 160bit) for SHA_V.
With most of the hash calculation options, they can be combined to include multiple calculations. In most cases, the MD5 is defaulted to be included with other choices. (except the -s option, see -B option below) Try each combination to find the one thats right for you.
If you want ONLY the MD5 value in the output, you must run the MD5.exe program with the --ONLYMD5 option. The MD5 value only output is needed for many forensic suites to include the MD5 values in their tests.
-s: produce the 160 bit SHA output instead of the 128 bit MD5 hash. (Default in SHA_V program)
-B: produce Both the MD5 and SHA of a file. (This option available only for 32 bit version.)
-256: produce the 256 bit SHA2 calculation. (not compatible with default MD5 128 bit)
-384: produce the 384 bit SHA2 calculation. (not compatible with default MD5 128 bit)
-512: produce the 512 bit SHA2 calculation. (not compatible with default MD5 128 bit)
-c: produce a 32 bit CRC output instead of the 128 bit MD5 hash.
-A: This is a very special option. It causes the hash to be computed, and also includes all three (3) file date/times in the output. The original access date is captured and maintained in the output record even though after the hash calculation is preformed, the current access date is modified. This output record is very large (over 180 characters wide). This option also includes in the output record the file attributes. In effect, if gives you almost everything you would want to know about the file (except the file type based on header). (THIS OPTION IS ONLY AVAILABLE IN THE 32 BIT VERSION)
Note: The use of -256, -384, -512, will provide each of the calculations. If you wish to get both the MD5 and SHA1 the -B option is implemented for this. If you want to add the three file times, the -A (for ALL times) is implemented for this. -AB option will provide 128 bit, 160 bit and 3 file times.
General information:
Because the date tests are so finicky (thats an artifical intelligence term) you should test these options extensiviley
before inplementing them.
When the program calculates the date, or the user enters a date, remember, that the date which is entered IS
included in the calculation. So, if you use -l=1 for less that one day, today is included, so any file with
todays date would be included. If you entered --newer=2022-02-01 then any date more recent than and INCLUDING Feb 01,
2022 itself would be included in the test. Any reference to older, or newer below, also includes older
"than or equal >=" or newer "less than or equal <=".
For either the -l or --newer= options, the last 'w'rite time is defaulted. To match other time items, refer to
below explanations of how to change the default 'w'rite time.
The [mac] (modified, access, create) modifier is always suggested. (the program accepts the 'w' for Modified). However, when using both the --newer= and --older options together, a MAC modifier must be used so that the program can differentiate which MAC segment to test for. Or else the Modified time is defaulted, and the MAC modifier MUST be different for each date, AND the test is done as if it was a logical AND being tested. So something like: --newer=2022-0-101w --older=2021-04-01c would find ALL files that were either written after (newer than) Jan 1, 2022, AND created before (older than) April 1, 2021. The AND test is implied. Again, since this test uses my artificial intelligence, you should test its operation fully.
If you want the two --newer and --older dates, you need to add an a,c,w after the date to tell the program which you want tested, access, create, or modify. And then a logical AND is assumed. This then makes sure that the file dates --newer=2022-01-01c --older=2022-12-31w, will show ONLY files that were created after Jan 1, 2022, AND were last written/modifed before Dec. 31, 2022. It is suggested you test these two above logic tests profusely before relying on the outcome.
When using the format -l=xx days, or the -g=xx days this number of days counter is counted from today. So in effect, 10 days from today, would not equate to 10 days from yesterday. So if you want to count from a specific date YYYY-MM-DD then use this format, not the xx day counter format.
All the formats, -l, --newer, etc, ALL require that an equal (=) sign be used, and no spaces.
Athough a date format of =YYYYMMDD[acw] is acceptable in the latest versions. It is always better to use the YEAR-MONTH-DAY format and put seperators in the date like: =2024-01-01w. This way there is no confusion if the date is 01012019 or 2019-01-01. Don't forget, get testy.
NOTE NOTE NOTE: the 'w'rite time is defaulted for both -l and -g. if you wish other, the 'w' or 'a' modifier is REQUIRED. For instance, last 'a'ccess you need to add it -l=5a else it won't work. Don't confuse the -ta (display access time) for listing only the access time, with -l=5a for date restriction.
SUPER SUPER NOTE with Alternate Data Streams: If the --newer, --older date options are used, and the parents date fits the request, but the alternate data stream does not, the program will list BOTH the parent and alternate data stream. So you may see what you think is an incorrect date hit for the alternate data stream, but take a look at the parent before blowing the whistle. I have chosen to include "bad"/incorrect ADS dates if the parent fits the request, just for informational purposes. Be aware. TEST TEST TEST and get back to me.
For all the date options, the last 'W'rite is defaulted. If you with others, then explicitly include.
-g=#[acw] (greater than or equal). Write is defaulted, else the 'a' or 'c' is required. -g 5a
-g=YYYY-MM-DD[acw] (greater than or equal).
--[older|before]=YYYY-MM-DD 'w'rite time is default. last write
--[older|before]=YYYY-MM-DDw 'w' is default. last write
--[older|before]=YYYY-MM-DDc 'c' is created date
--[older|before]=YYYY-MM-DDa 'a' is last access
Where the # is replaced by a number indicating file age in days: list all files ‘g’reater
than or equal ">=" to # days old.
AND the equal (=) sign REQUIRED when using YYYY-MM-DD format.
You can use a -g=nn -l=xx pair to bracket file ages. (diskcat -g=100 write time greater than 100
days) (default time item used is 'w'rite time. If you wish other time tests, add one of the modifiers [acw] -g=100c
-l=#[acw] (ell, for lessthan or equal, not a one). Last 'W'rite is defaulted , else the 'a' or 'c' is required. -l 3w.
-l=yyyy-mm-dd[acw]
--[newer|younger|after]=YYYY-MM-DD 'w' is defaulted
--[newer|younger|after]=YYYY-MM-DDw 'w' is write time (default)
--[newer|younger|after]=YYYY-MM-DDc 'c' is created date.
--[newer|younger|after]=YYYY-MM-DDa 'a' is last access
Where the # is replaced by a number indicating number of days old. AND the equal (=) sign REQUIRED when using YYYY-MM-DD format.
List all files ‘ l’ess than or equal to # days old. (in other words, the day you list is ALSO
included in the test). You can use a -g=xx, -l=yy pair to bracket file ages. To get ONLY todays files,
use (diskcat -l=1) less than 1 days old, which INCLUDES today. The day count INCLUDES today. So if
today is 2-10-2022 and you put -l=1, you would see todays files.
--newer=2022-01-01c --older=2022-02-01w defaults to logical AND which will find files created after Jan 1, AND last written before Feb 1. Don't forget, the modifiers [acw] have to be different for each date. DAH!
Preferred format, is to use is the minusminus format, --[older|newer]=YYYY-MM-DD[acw], be careful when entering any date ranges.
NOTE: the date format "PREFERS" delimeters if you use the =YYYY-MM-DD format. The preferred YYYY-MM-DD format to be used is =YYYY-MM-DD format with dash delimiters and the equal (=) sign. If you don't use delimiters I use my artificial intelligence to try and figure what you mean, and it may not always be correct. The month first format MM-DD-YYYY is acceptable, but not preferred. Got it??
In any of the above formats, the default date being checked is the 'w' last write
date. If you wish for either the 'c'reate or 'a'ccess date you must add the modifier to the date:ie:
--newer=2020-12-01a or --older=2020-10-01c. The -t[acw] date display option, has no impact on the date test.
Process only those files (g)reater (older) than (or equal) or (l)ess than/newer (or equal) than this yyyy-mm-dd date. The date MUST be in the form yyyy-mm-dd with delimiters. It MUST have two digit month and days (leading 0 if necessary, 01), and it MUST have a 4 digit year (2022 etc.). The date (or days xx) given yyyy-mm-dd is included in the calculation. Ie. --newer=2022-01-10 for any days less than jan 10, 2022, then any file with the date of jan 10, 2022 would be included in the test.
The [acw] literals, choose which time to base the mm-dd-yyyy test on Any or all [acw] can be used. If none used, then default is last 'w'rite.
examples: -l=2020-10-20a --newer=2020-10-20a -g=2020-12-05w -g=2020-10-01c --older=2020-10-01c -l=2020-10-20acw -g=2021-12-05wc
-L + #: Where the # is replaced by a number indicating, list all files less than # bytes in size. (hash -L 100000) [LESSTHAN=xxx]
-G + #: Where the # is replaced by a number indicating, list all files greater than # bytes in size. You can use a -GL pair to bracket file sizes. (hash -G 10000) (hash -G 10000 -L 100000) [GREATER]=10000
-P Pause after every 20 lines is default. Adjust number of lines using (=nn), (ie: -P=45).
ini format:(hash -P ) PAUSE=[ON|OFF|nn]
--pause[=nn]: Pause every 20 lines default, or adjust to nn lines for larger screens, --pause=65.
-d + “delimeter”: replace “delimeter” with a delimeter (typically a pipe ‘|’ ) within double quotes with which to delimet fields. If the delimeter is not printable, use its decimal ascii value but don’t place it it quotes. (hash -o output.txt -d “|”) [DELIMETER=xx]
-w + #: Change the default width of the filename from 38 to whatever value you wish. If you have long filenames, this may be necessary to accomodate the entire name. If a filename longer than 38 is used, the output tends to be more than one line long. Usually a -w 160 will suffice to get all but the most extreme long file names. (hash -w 150) [WIDTH=xx]
-M: When doing the pre-scan (see -i option) of the drive to count the number of files, also calculate the (-M)aximum number of characters needed for the longest filename, and treat it as if the -w # option was used. This automatically sets the -w option to the correct value. The -o option is also mandatory if this -M is used. The -M option only works when an output file -o is also called for. No reason to adjust the path length if printing to the screen.
-i: mmediate; Start processing the files 'i'mmediately. DO NOT take time to pre-scan (-M option) to find the longest filename for output. -i and -M are mutually exclusive.
MAC TIME SELECTIONS
-[Tt][AaCcWw3]
Show the file time as last ‘a’ccessed; last ‘w’ritten; ‘
c’reated; or show all ‘3’. If the AC or W is uppercase, then the
milliseconds is added to the filetime.
No spaces between the -t and the modifier. ( -tc or -TC or -t3 ) Default is the
‘ w’rite, which is identical to what DIR or Explorer displays.
If the T, is upper case, then the date, MM/DD/YYYY is reversed to read YYYY/MM/DD. If the
option -T3, is ended with a perdiod (.), (-T3.) Then the item is prefaced with a
single quote ('), ('YYYY/MM/DD), '2013/01/01. This single quote keeps Excel from
interpreting the item as a date, and reversing the item to MM/DD/YYYY. It eliminates the
Excel import step of choosing this field as a text string.
.ini options
[TIME]=[A|C|W|3],
[ALLTIMES]=]ON|OFF]
[ZULU=ON]
NOTE NOTE NOTE If the -t3 option is used by itself (without any hash option) then ONLY the times are shown. This is a quick default way of obtaining a listing of the files. No hashing is done, unless you include one of the calculation options, like -B -A -256 etc. Test test test.
Some of the options (-sAB 256, 384, 512) may conflict in logic with the -t3 and -t0 options. If a -t3 is used, the default is to NOT perform any hashing. Use this to perform a simple catalog without changing file access dates. To obtain all three times, and an MD5 hash, you should use the -A option which will ALWAYS override the -t3 and insert the MD5. To add an SHA1, use include the -B (both MD5 and SHA1). The inclusion of the -B elicits only a single time, even if the -t3 is used. To get three times when using the -B, you must also use the -A which add the times. The logic here is somewhat convoluted, but the matrix is hard to design. The user should test the options.
[TIME=[A|C|W|3]], [ALLTIMES=[ON|OFF]]
-Z: Display time in ‘Z’ULU UTC/GMT format. The letters GMT will be at the end of the output line indicating such. Use GMT to get relative references especially when dealing with 2 or more time zones. See note below on time zones: (hash -z) [ZULU=[ON|OFF]],
--ZULU=OFF: If ini ZULU=ON is set this option turns it off.
-m: Show file last write (-modified) date. Same as -tw option. (-m) [MILITARY]=[ON|OFF]
-N: Provide in the output only the path/filename and the calculation. No dates, times or file sizes are included.
-n: Strip the path from the filename, and list only the filename itself. NO HASHING is done. A quick and dirty way of only listing filenames. DOES NOT include ADS filenames.
-8: Add the DOS 8.3 filename to the end of the record.
-88: Add the uppercase Long File Name to the end of the record. This option strips the LFN from the path listing of the first field, and places only the LFN at the end of the record. The default length is a 75 character field. (Note: the -8 and -88 options are mutually exclusive. Use one or the other).
-88xx{eE]: Replace the xx with a value. This value will now determine how
wide the Long File Name field will be. The default LFN length for hash is 25 characters.
Use of the upper case 'E' will cause the filename field to contain only the filename up
to and NOT including the dot extension. This is to be compatable with some of the extracts
from FTK and X-Ways when the filename field is extracted. (ie: MYFILE.DOT is listed as MYFILE)
The 6 character extension field is still included.
Use of the lower case 'e' will cause the filename field to contain the full filename
which includes the extension. This is to be compatable with some of the extracts from FTK and
X-Ways when the filename field is extracted.(ie: MYFILE.DOT is listed as MYFILE.DOT) The 6
character extension field is still included.
-R: Reset file last access time. (hash -R), better to set the .ini RESET=ON so that you don't inadvertently alter the last access date.
-v:
--NOHEADER:
NO VERBOSE. Do not print normal
column headings above numbers. This provides cleaner screen output for
redirection to a file. This can also be accomplished by settting an
environment variable called silent to ON. (set SILENT=ON). The SILENT
environment variable is used by crckit also. The output at this point
is ready for import into a data base. [SILENT=[ON|OFF]]
-D xx: This is the standard default format of the -D option. It will start processing the file xx bytes from the beginning. The xx offset is counted from 1. It then processes the rest of the file. If you need to process only a portion of the file, use the modified version of the -D option below.
-D xx[,XX]:
supercedes the basic -D option. This option takes a lot of practice.
Use this option to process only a part of a file.
This option will start processing the file at the xx byte of the file,
and process this many XX bytes of the file.
The xx value counts from byte 1, -D 1,xx (xx=process this many)
--source=listfilename: Provide a list of files to hash in the file identified by the name: listfilename. One filename per line. The filename must contain the complete path of the file to hash. The program reads the text file one line at a time and processes that file. There should be a blank line at the end to indicate no more files to process.
--NAMEAFTER: The --NAMEAFTER option, moves the fullpath name of the file from the first field, to the last field. Thus allowing for a pseudo variable length record. If the -V option is also used, then a true variable length record is achieved.
--MATCH: The --MATCH option to match hashes against a reference file is not implemented in this program. However, it is implemented in the MD5 version. See the options section.
The following options relating to Alternate Data Stream processes are only available to process files residing on NTFS file systems. If you need an explanation why, you probably shouldn't be reading this.
WARNING WARNING WARNING Will Robinson
Be aware the if you use the --ADDADS option to create and then use the --ADS_COMP option to verify the current hash there may be
a glitch in your process if:
After you create the initial alternate data stream you or someone in some way uses a program (maybe an editor or viewer) which
may create a temporary copy, and when closing, renames the temporary copy to the original name. This probably only occurs if the
program actually edited or changed the content of the file you are examing.
If you think about what just happened, you created a new file (without the ADS signature) and then renamed to the original. Thus,
this newly renamed file will NOT have that original (or any other) alternate data streams that were attached to the original
filename.
In my limited testing so far, this has only happened with one editor. But be aware of the possibility.
--ADDADS[=P]: (6/1/2019) The --ADDADS option adds an alternate data stream (with a fixed name of: :ads_hash.txt) to whichever file is being hashed. The contents of the added data stream are (on seperate lines). If the --zulu option is added, then the MAC times in the ADS are converted and identified appropriately. Each time the --ADDADS option is used, the alternate data stream is added to. So hashes, and dates/times can be seen in the timeline. See below, two runs of the same file.
The comment of the -C option (if -C used) the original filename, filesize, hash value, the three MAC dates/times.Actual added ADS file for performing the option twice: The 2nd time the --zulu option was added, and so the MAC times are converted to GMT.
C:DRIVE_VOLUME_NAME: OSDisk COMPUTER: DMLAPTOP Current Time|2019-08-30|19:25:03|GMT| NAME: D:\WORK\UNICODE\HASH_U\Release\hash.htm Size: 60383 HASH: 8E7556E01E893408B9DCB0F14FEFBEDB Modified: 2019/08/11 15:14:57 Accessed: 2019/08/30 15:10:37 Created: 2019/08/11 06:56:42 ----------- C:DRIVE_VOLUME_NAME: OSDisk COMPUTER: DMLAPTOP Current Time|2020-01-26|21:27:22|GMT| NAME: D:\WORK\UNICODE\HASH_U\Release\hash.htm Size: 60383 HASH: 8E7556E01E893408B9DCB0F14FEFBEDB SHA512: 46806FC6C6B11319C67808A886AE82FD... shortened here for display Modified: 2019/08/11 19:14:57 GMT Accessed: 2019/09/18 19:59:54 GMT Created: 2019/08/11 10:56:42 GMT -----------This option automatically installs the -R (date Reset) option, and will reset all three filetimes of the original file as best as possible. If the =P is added to the option
Y:\TMP\junk\hash.exe|208584|FCD5C782BF703A2718BB51375888A16F|2011/02/10M|12:34:33M|2011/02/04A|06:37:42A|2011/02/04C|06:37:42C
--ADS_COMP: This option is used after a run has been made using the
--ADDADS option which will create an Alternate Data stream file filename:ads_hash.txt containing
information about the parent file. The ads_hash.txt file contains among other things the MD5 HASH
of the original file. At a later time, to verify that the original file was not altered, run the
program and add this --ADS_COMP option. This will hash the parent file, and read the ads_hash.txt
alternate date stream file associated with parent. It will find the MD5 HASH line in the file and
see if the original MD5 and the current MD5 are identicle. It will show its output to the screen
or place the result in the output file (if -O is used). command line: hash -f parent.xxx --ADS_COMP
Because this option is designed to check and validate the ADS's added which contain original MD5 and SHA
values, it is strongly suggested that you also use the --ADSONLY option. This way, those files WITHOUT the
appropriate hash ADS will not be processed and thus not be included as superfluous files.
--ADSONLY: (6/1/2019) The --ADSONLY is used to show and hash ONLY
those files which contain an Alternate Data Stream. This option is also available
in the diskcat.exe program.
Use it with caution when adding it along with the --ADDADS option. As the two may
conflict with each other, and should be considered mutually exclusive.
If you are using the 32 bit version in a DOS box, the time zone is properly displayed at the end of the record.
C:\WORK\PUBLISH\HASH.DOC
AC38FF51EAAF04739B0F7FCCB7001762 4697 03/31/1995 12:12:28w EST
This is provided your OS has been properly set up to the correct time zone. This is accomplished in the control panel under the date/time icon.
However, if you are using the 16 bit version either from a DOS boot, or in a DOS box, you must set a TZ environment variable to tell the program the proper time zone. Otherwise it will always respond with a time zone of PST. To set the TZ variable use something like:
SET TZ=EST4EDT
Or whatever time zone is applicable. If you don't know what an environment variable is, or don't know how to set it, you will have to do your own research.
Top
c:>hash c:\ -o a:c_drive
Do hash of files for entire C: drive.
c:>hash c:\work
Do all files in path C:\work with recursion.
c:>hash c:\work -r -S
do C:\work path without recursion (-r), DO NOT process Alternate Data Streams (-S), default without -S ADS's are hashed.
c:>hash c:\work\*.c
do C:\work path with for all *.c files (add -r for no recursion)
c:>hash c:\work -n
do C:\work printing only filename. Similar to a simple name listing of files. DOES NOT INCLUDE ANY PATHS.
c:>hash c:\work -t0
do C:\work and include hash and size, no dates included.
c:>hash c:\work -w 30
do C:\work limit printing of filename/path to 30 characters.
c:>hash *.c -c
add the CRC32 to the output including the MD5 of all *.c files
c:>hash -p . -f *.* -v -o outputfile -w 300 -1 logfilename -AT3 -d "|" --milli --GMT
This is the most verbose of all the commands
-p . start at current location -f *.* hash all the files -v do NOT place headers/footers in output. this makes it clean for next process -o outputfile name of the output file -w 300 make the output path length a fixed 300 characters. usually large enough for most trees. -1 logfilename the name of the file containing the log/accounting info. -AT3 create the hash value, and include all three file times in YYYY/MM/DD order. --mill add milliseconds to any time value --GMT show time in GMT time. -d "|" make the output pipe delimited for future processing.
By default the HASH program produces an excellent fixed length output record of the entire file listing (catalog) of a disk drive. This is useful for cataloging files on drives. Delimeters can be inserted (-d option) between the fields of the output record so importation into wannabe data bases can be achieved.
Hash can calculate the hash value for a single file, for files in an entire directory, files in an entire path, or files on an entire logical drive, or drives. Specific file types can be excluded from the calculation with the -X filetypes.* ... option.
The calculation of hash values of files have a number of different uses.
The hash of a file can be used as a verification of the state of a file at a certain time. Similar hash values mean the files are identicle. Different hash values mean the files have differences. These similarities or differences can have uses in forensic verification, virus detection, file authenticity and others. Some people use a hash library to see if a file is the same as its original schrink wrapped version.
UNC capable: sample command line and output
C:>hash -p \\OFFICE\Z\work\unicode\base -f b*.c \\OFFICE\Z\work\unicode\base\OLD_C\BASE.C 312F6A19E9D24B13FFAF029597F0F817 57857 03/14/2018 14:17:13:154w EST A...... \\OFFICE\Z\work\unicode\base\OLD_C\Base2.c FE8D6A886343BEACED0E5A901E191F08 58543 03/14/2018 14:17:13:154w EST A...... \\OFFICE\Z\work\unicode\base\OLD_C\Base_u.c A81DAC449095D2EF030EEC483936858C 77439 04/28/2019 16:28:41:281w EST A......Top
CRCKIT Performs CRC 32 bit calculations.
DISKCAT Creates accurate catalog of files.
DISK_CRC Outdated: create crc of physical disk.
HASHCMP Compares values in two different hash runs.
MD5 Alternate output format of MD5 values.
hash_test.zip contains a batch file that demonstrates a number of ways to perform hash matches using a number of maresware software including: hashcmp, compare, disksort, total. They are all included in this zip file.
SHA2 Copyright:
The SHA2 code implemented in this program was modified from code written by:
AUTHOR:Aaron D. Gifford <me@aarongifford.com>
Copyright (c) 2000-2001, Aaron D. Gifford All rights reserved.
Redistribution and use in
source and binary forms, with or without modification are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of contributors may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR
OR CONTRIBUTOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
I can also assist in developing the testing scripts which will help you validate your processes. We may even be able to point you to other locations which have already implemented successful processes.