PURPOSE OPERATION ITS ABOUT TIME OPTIONS COMMAND LINES RELATED PROGRAMS
One liner: Calculates MD5 and SHA's of specified files. Similar to hash.exe but different output format
Virus aficionados read this:
Some (actually only one mainline) virus programs, incorrectly identify the exe as containing a virus. If
this is the case, please check the exe with other reliable virus checkers, as this mis-identification
is common.
If you are using a 64bit version, be aware that many of the newer more fine tuned options may not be available.
Sample Maresware Batches an executable with data that demonstrates various Maresware software. Download and run the appropriate _0X_MD5 batch for md5 demo.
This program has been updated to work with long (>255) paths, and alternate data streams. Many similar programs fail with long paths. Test it for yourself.
NOTE: for the purposes of this help text, any reference to MD5 or HASH should also be considered to mean any of the SHA hashing algorithms. Such as SHA1, SHA256, SHA384, SHA512. Unless specicially noted otherwise.
The MD5 program is designed to be used for forensic purposes to verify file integrity, and calculate hash values.
The MD5 program is very similar to the HASH program. It can perform the same calculations as the HASH program but provides a slightly different output format.
The MD5 program is designed to calculate the MD5 (128 bit) hash and SHA values of a file. It uses the MD5 algorithm as described by R. Rivest in an article published in 1992. The article is available on the internet by searching the Web on MD5.
It is suggested that you check the registry for "last access date update" key. A simple quick run of the program will display a message if the last access is on like. Last Access Date UPDATE is: turned ON. You may wish to adjust the registry setting depending on your situation. If it is your own machine, you might want to reset the registry last access key. If it is the source of evidence, you may want to use the -R (reset date) option to make sure the original access date of the file(s) is not altered. You don't want to have to explain why your program altered evidentiary dates. Do you?
MD5 will display a message at the end of the run which indicates whether the last access date update of the OS is either turned on or off. It is this authors opinion, that forensic processes (or programs) that are used in forensic environments, should not in any way alter evidence. By allowing the operating system to alter file dates, one may be leaving yourself, or your software open to evidentiary/alteration challenges. For this reason, the MD5 program is one which would normally open and process a file, the -R option (in most cases) will attempt to reset the last access date/time to its original after the file has been processed. The ini file line: RESET=ON may also be used to tell the program to attempt a time reset.
The option (choose one) --ONLYMD5, --ONLY_MD5, --MD5_ONLY, (same as --AHASH) which is designed to produce in the output file ONLY the MD5 values. This output file format is designed to be used with the forensic analysis programs requiring ONLY a single field (the MD5 value) when they are importing a reference hash set. as of 20200519 testing of some of the more popularly suggested programs that produce "text" md5 values for import into various forensic software, reveals that some or all of those "recommended" fall short of producing complete lists.
The following is a quote from an article found online. “The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest.”
What this means is that no two files will ever produce the same “fingerprint” unless they are identicle. There are collisions possible, but only with severe intent and computing power. I have tested the NSRL data set of well over 100 million records, and found no collisions.
Although by todays standards, the MD5 algorithm is not as strong as the SHA values, the MD5 is still used for verification by many programs. Less face it. It would take a significant amount of work and computing power to intentionally beat an MD5.
CERT at Carnegie Mellon University uses an MD5 signature to validate sensitive data sent out over the Internet. When information is distributed with the MD5 signature value, the MD5 program can be used to validate the integrity of the data.
MD5 can be used to produce an MD5 hash of a file. The output produced is identicle to that produced by the UNIX version of the MD5 and md5sum programs available at many internet sites.
This program (MD5) can also be used to find matches or mismatches of MD5's supplied by the user in a sorted file of MD5's. This type of match can most efficiently be used when matching the NSRL MD5's, or a reference set of MD5's that the user has generated. Many current anti-virus programs are now using the SHA values. So as of March 2018, the --MATCH option has been updated to incorporate matching on any of the SHA values the user has available. (see the --MATCH option in the options section.)
Regardless of which additional SHA value is requested to be calcuated, the MD5 is "ALWAYS" calculated and provided as the first hash value in the output record.
command used (notice only the -s for SHA1 (SHA160) option provide: md5 -s NAME MD5 SHA1 filename.ext 6E94A1FCAE53CDD6701B81801ECFE16A 5362D9C7A12534B0419DB506FD12AF4E414EA48C
SHA-1: also referenced by SHA160 for this program.
The current version of MD5 also implements the NIST recognized SHA-1, 160BIT (Secure Hash Algorithm). Use of the -s option will produce the SHA1 calculation in addition to the MD5. When referencing the SHA160 in the --MATCH option use the keyword: --MATCH160=filename
More information in the SHA algorithm and certification can be found at http://csrc.ncsl.nist.gov/cryptval and http: //csrc.nist.gov/cryptval/140-1/1401labs.htm
The use of the upper case -B (Both) option will produce both the MD5 and SHA of a file. It is a time consuming option. For a single file, you might also try the sha_verify program found in the FTP site at dmares.com. Login as anonymous and look in the NT_32 directory.
SHA-2:
The SHA2 versions of the Secure Hash Algorithm have been also implemented. There are three versions of the SHA2. There are 256, 384 and 512 bit versions. These options are appropriately implemented as the following command line options: -256, -384, and -512. When using these options, the -s option may also be used, to get a full range of SHA values. A little bit of overkill. And an awfully long output line.
SHA2 Copyright:
The SHA2 code implemented in this program was modified from code written by:
AUTHOR: Aaron D. Gifford <me@aarongifford.com>
Copyright (c) 2000-2001, Aaron D. Gifford All rights reserved.
Redistribution and use in source and binary forms, with or without modification are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Program default is to perform MD5 calculation on all the files in the current directory.
It produces a fixed length output of the filename, MD5 and filesize. No delimeters are
used by default. Just fixed record length with space delimeted.
OPTIONS.obj F057CBF3F765F30B0CA8C3DFBBFC8BA0 12345
When the user supplies a filename(s) on the command line, the MD5 program calculates the hash value and prints it on the screen. The output is simple and can be redirected (>outputfile), However, the -o outputfilename option is preferred.
command line: C:> md5 options.obj output: OPTIONS.obj F057CBF3F765F30B0CA8C3DFBBFC8BA0 12345
Default output ONLY includes the hash output. If no recursion (default operation) is chosen then only the current directory is searched for the file and only the filename is provided. If recursion (-r option) is chosen, then the entire (truncated) path is provided along with the calculated value(s). To obtain wider more inclusive paths, use the -w xx or -V option.
output, path/filename, MD5, filesize, (no dates are displayed in the default): command line: C:> md5 -r options.obj c:\folder\OPTIONS.obj F057CBF3F765F30B0CA8C3DFBBFC8BA0 12345
If any options are used that would request the inclusion of file times (all three (cwa) can be selected -tc, -tw, -ta -t3), then the output is substantially increased to include file size, and times. These outputs can grow depending on the length of the output filename path field.
command line: C:> md5 options.obj -tw output: access_date.obj 0C288A5BF6CE265FA1619936D1F2E2D2 20677 03/30/2018 14:48:37w EST
During June 2020, (when DST is in effect) I was playing with file dates that were both referencing January 01, 2020, and June 01, 2020. Obviously these two dates were in different GMT offset time settings, one was Eastern 4 hours, the other 5 hours off GMT. One was Daylight Saving Time, and the other was Standard time. A command prompt of DIR on the January 01, 2020 file showed a time of 08:34:
01/01/2020 08:34 AM 0 ZERO_BYTE.TXTNotice the time referenced 08:34 AM. However, when I looked at the time using Windows Explorer the time was displayed as: 07:34 AM. An hour difference. Mr Watson, something was amiss. I realized that because I was operating during June which was a different GMT offset than January (4 as opposed to 5 in January), the DIR command wasn't properly compensating for the 1 hour difference between DST and Standard times. The current (older version of md5) was not adjusting for the time difference either, just as DIR wasn't adjusting. So, I made a modification (fixed the operational challenge) in MD5 to properly adjust for the one hour GMT offset difference. Now (as of 6-6-2023) the version of MD5 properly displays the local times. If you use the --GMT or --zulu options, the GMT time has always been displayed properly. And as a seasoned forensicator (thats you, I think), you probably should always use GMT times, for consistancy.
On Oct. 15, 2021 I added two modification, I'm calling them the Al Johnson modifications because they were added during discussions with Al Johnson, ex-fed. not fed-ex. The options are the --ONLYMD5 and -V combination. This combination does a number of things. But I want you to read about them below. Otherwise it would spoil the surprise. See the options below.
This program is INI file compatable.
Most options should be preceded by a (-) minus sign. Some can be grouped together, and others where specified MUST be grouped without a space. The options are grouped where approriate.
Some options are mutually exclusive of each other. It is suggested that the user test each option group before actually running in a production mode.
Cliff Notes Option reference
-p + path(s): path(s) to search, -p c:\windows f:\evidence -f + filespec: files to search, -f *.jpg *.md4 *.gif -x + filespec: e(x)clude these file types, -x *.exe *.dll -r: recurse the tree (default NO recurse) --recurse: recurse the tree. (default NO recurse) -oO + output_filename: (upper case == append -a), -o c:\cases\MD5_values.txt --margin=xx: Add xx spaces to beginning of line for easier read. -a: append to output filename -d "delimeter": use "delimeter" between output fields, pipe delimeter, -d "|" -w #: use # as max width of output filename field, -w 160 -V: 'V'ariable filename width in output. -V --nameafter: Place filename at end of output record. ABCD1234 filename.txt -1 + log_filename: create logfile, -1 c:\cases\run_log.txt -P, -P[=nn]: Pause after every 20 lines of screen output -S: DO NOT process alternate data stream --AONLY: ONLY MD5 is output. --ONLYMD5: ONLY MD5 is output. --ONLY_MD5: ONLY MD5 is output. --MD5_ONLY: ONLY MD5 is output. --MD5ONLY: ONLY MD5 is output. --ONLYMD5 -V: (combination) Make the MD5 output a variable length output with the path. -B: include both MD5 and SHA (160) of a file. -s: include 160 bit SHA in output. MD5 is ALWAYS produced. -256: include 256 bit SHA2 calculation. -384: include 384 bit SHA2 calculation. -512: include 512 bit SHA2 calculation. -c: include 32 bit CRC calculation for you old timers. -g + #: files greater than # days old. -g 100 (days) --older=#: files greater than # days old. --older 100 -g + mm-dd-yyyy[acw]: files before this date, -g 10-30-2012 -l + #: files less than # days old (ell, not one), -l 100 (days) --newer=#: files less than # days old, --newer=100 -l + mm-dd-yyyy[acw]: files newer than this date, -l 10-30-2012 -t[acw3]: show this/these times. Access, Create, M(w)modify, all 3, -ta 10-20-2019 -T[acw3]: show this/these times. Access, Create, M(w)modify, all 3, -Ta 2019-10-30 -z: Display time in ‘Z’ULU GMT, 10-30-2012 GMT -R: Reset (access) file times to original --reset Reset (access) file times. May or may not work, depending on the OS being used. -L + #: files less than this size -L 10000 (bytes) --lessthan=#: files less than this size --lessthan=10000 --smaller=#: files less than this size --smaller=10000 -G + #: files greater than this size -G 10000 bytes) --bigger=#: files greater than this size --bigger=10000 --greater=#: files greater than this size --greater=100000 -v: NO VERBOSE. Silent run. show only data output. no admin stuff -U: NO 'U'pper case. MD5 values shown as lower case (a1b2c3d4) -D xx,mm: Start processing file at byte xx (from 1), this many bytes -D 1,512
War and Peace Option reference
items displayed within [SQUARE BRACKETS] are ini file settings. ie: [RECURSE=ON|OFF], would look like: RECURSE=ON in the ini file.
Some options are mutually exclusive. So test first, last, and always.
-p + path(s): If more than one directory is needed to be looked at, then add the paths here as appropriate. (md5 -p c:\windows d:\work) [PATH]=path
-f + filespec: If more than one file type is needed, add them here. (md5 -f *.c *.obj *.dll) [FILES]=filetype
If these options are used, the program builds a matrix of paths and file types. It searches all the requested directories for all the requested file types. Thus giving a total of all the files in all the paths requested. These options are added to any default command line provided. (C:> md5 c:\work\*.c -f *.dll -p d:\windows)
-x+filespec: e(x)clude these file types from listing. (same format as -f option) (md5 -x thesefiles.txt) [EXCLUDE]=filetype
-oO + filename: Output file name. Place the output to a filename. If uppercase ‘O’ then existing output is
appended to.
(md5 -o overwritten_output.txt) (md5 -O appended_output.txt) [OUTPUT]=filename
-oO + [OUTPUTNAME]YY[YYMMDDhhmmss][=:][OUTPUTNAME][Gg]:
This format allows the output file to be easily be identified as to when it was created. The addition of the YY.... format causes
the output file to be named with current date/time based on the mask used, and a .txt extension is added unless user
includes extention in the mask name. If this format is used, the -a append option is automatic and the -v no verbose is also
automatic.
This option has a number of variations. Read and test profusely. You do know how to do that, don't you.
The basic idea is to create an output filename with the date and time (depending on which YYYYMM.. etc) the program was run. The
user can also add a textual filename either preceeding or after the generated date-time output name. The format for this output
filename creation is convoluted.
If you use (include) the preceeding [NAME] text then the name provided is "prepended" to the date string created. (see below for
the trailing filename format). With specific additions of an actual NAME the output name can be modified to have a leading
textual name.
If the trailing "filename format" (not recommened without extreme testing) is included as part of the output name, you must use
either the "=" or ":" delimeter in the trailing mask or else it is ignored.
The minimum is that the YY be the first item.
Then you can add additional modifiers to refine the output name. This option is especially helpful when you are creating the
catalogs with batch scripts run periodically. Then depending on the mask used, the output filename will reference the date and
time of the run. The modifiers are case dependentant, and add the following:
-a: append output to filename provided in -o option. Serves same purpose as using an upper case O. (md5 -a appended_output.txt)) [APPEND]=[ON|OFF]
-1 + log_filename: (that's a one, not ell) The filename here is a file which will contain accounting/log information about the run. It is always appended to, and contains the command line, and statistics about how many files and time of run. The file can later be used as a batch file for duplicating the runs. The ACCT environment variable can also be set. (SET ACCT=logfilename). Or use the .INI option [ACCT=filename] The order of priority is: Environment, INI file, Command Line option. To explicity turn off use a +1. (md5 -1 logfilename.txt)
-R: (upper case R). Reset last access date filetime to original. (md5 -R)
--reset Reset file times. May or may not work, depending on the OS being used.
-r: (lower case r), recurse thru the file system. Default is NOT recurse.
--recurse: recurse the directory tree. MD5 default is to NOT recurse. (md5 c:\tmp -r)
-S: (upper case S) If the file system is NTFS, this option causes Alternate Data Stream files to NOT be processed also. The default is to process ADS files where possible.
-w #: Change the default width of the filename from 38 to whatever value you wish. If you have long filenames, or use the -r recurse option which obviously will increase path size, this may be necessary to accomodate the entire name. If a filename longer than 38 is used, the output tends to be more than one line long. Note: If the special sequence, (-w 1, thats a one not ell(L)) is used then the output becomes a variable length record with only 1 space between the filename and the hash value. (md5 -o output -w 150) increases filename width to a fixed 150 characters. Alternative is -V (variable). [WIDTH]=50
-V: 'V'ariable name output. Make output line name a variable length.
Obviously this is best used with the output option. Because output line is now variable length, it
defaults to inserting a pipe (|) delimeter between fields. (md5 -V -o output.txt)
c:\path1\path2\etc\samplemd5.txt| FF3D051CC3D562959C41C411137FCA15| 204|
--nameafter: Place the filename at the end of the record. This still truncates
the name field, unless the -w xx option is also included. (md5 --nameafter)
2CCD06394CA3394286BFEBCC0A73F634 1040 D:\...\md5\Release\sample512
- -AONLY:
- -ONLYMD5, :- -ONLY_MD5, - -MD5ONLY,- -MD5_ONLY, choose only one version.
(Thats minus minus - -) Display/Output ONLY the MD5 on each line.
This output format (one MD5 per line) may be needed when you wish to import the MD5 values to a forensic
software package requiring a single item per record. Since this is one of those mutually exclusive options, only an output option -o will
work with it, otherwise output goes to the screen: DAH!
Like: (md5 --ONLYMD5 -o MD5_values.out)
D706EAF7269177D4C005DBC5F9783E86 BED64C89F28EED55BBA32D6894CEE55D 2C0E695071AA87AA0EBD34C6750E1968 B061D7EE4D9D74909124D061BBD6C909 9104799A5142FAC46D227734AC6B5296
SPECIAL Al Johnson combo no, its not a special at the local diner.
--ONLYMD5 -V: This combination causes the MD5 output record to be reformed to the following syntax:
MD5-HASH | filesize | fullpath_filename C15DE4C7BD8BC9E2065C95530C8E055D| 12889|\\?\D:\WORK\UNICODE\md5\Release\D1\CYRILLIC_NAMES\Cyrillic.7z|Use this option combo (with appropriate other options) to generate a variable length record with the hash as the first item on the line. Then you can run the output thru the hashcmpV program to compare outputs of two of these md5 runs.
Hash calculation options: (-s -B -c -256 -384 -512 ) Default is the MD5 128 bit calculation is ALWAYS done.
-s: produce the 160 bit SHA output. MD5 is ALWAYS produced.
-B: produce the MD5 and SHA (160) of a file. Same output as the -s option.
-256: produce the 256 bit SHA2 calculation. (see note below)
-384:produce the 384 bit SHA2 calculation. (see note below)
-512: produce the 512 bit SHA2 calculation. (see note below)
-c: produce a 32 bit CRC output in addition to the 128 bit MD5 hash. However, the CRC of ADS is not done, and no --MATCHxxx capability is available for CRC's. CRC's are antiquated. (see note below)
command line:-[tT][acw3]: Show the file time as last ‘a’ccessed, last ‘w’ritten, ‘c’reated, or show all ‘3’. No spaces between the -t and the modifier. ( -tc or -t3 ) Default is the ‘w’rite, which is identicle to what DIR or Explorer displays. [TIME]=[A|C|W|3], [ALLTIMES]=]ON|OFF]. If the 't' is uppercase 'T' the file dates are printed in YYYYMMDD format for easier sorting. HH:MM:SS are always included. Often used in conjunction with the -l (lower case ell) and -g options to bracket file times.
-z:Display time in ‘Z’ULU GMT format calculated from current computer offset. The letters GMT will be at the end of the output line indicating such. Use GMT to get relative references especially when dealing with 2 or more time zones. (-z) [ZULU]=[ON|OFF]
-g + #: -g 150 (days)
--older=#: Where the # is replaced by a number
indicating: list all files ‘g’reater than # days old. You can use a -gl pair to bracket file ages. If the --greater=# is used, the
equal (=) sign is mandatory format. (md5 -g 100), greater than 100 days old: [OLDER]=50
-l + #: -l 150 (days), thats an (ell, not one)
--newer=#: Where the # is replaced by a
number indicating: list all files ‘l’ess than # days old. You can use a -gl pair to bracket file ages. To get todays files, use
(md5 -l 10) [NEWER]=10
-g + mm-dd-yyyy[acw]
Process only those files (g)reater (older) than this mm-dd-yyyy date. The date MUST be in
the form mm-dd-yyyy. It MUST have two digit month and days (leading 0 if necessary), and
it MUST have a 4 digit year. The date calculation is calculated as of midnite on
the date given for the -g option of mm-dd-yyyy. For this reason, the day provided is NOT
included in the calculation. Ie. if you entered -g 01-01-2006 you would only process
dates PRIOR to 1/1/2006. This means all of 2005 and before. See below for the [acw]
meanings.
-l + mm-dd-yyyy[acw]: (that's and ell, not a one). Process only those files (l)ess than (newer) than this mm-dd-yyyy date. The date MUST be in the form mm-dd-yyyy. It MUST have two digit month and days (leading 0 if necessary), and it MUST have a 4 digit year. The date calculation is calculated as of midnite on the date given for the -l option of mm-dd-yyyy. For this reason, the day provided IS included in the calculation. Ie. if you entered -l 01-01-2006 you would process all of 2006 to the current date.
If no 'acw' modifier is used, the default time used to check the age is the current write or last modification time.
You can however, alter which time is used in the age calculation. To do this, add any or all of the acw indicators. For instance, if you wanted the date checking to respond to the access date, you would add an 'a'. ie: -l 10-10-2005a would show all files accessed on or after 10-10-2005.
If you added more letters, to the date, ie: -g 10-10-2005cw you would get all files with EITHER an access or a last modified date older than 10-10-2005. The added [acw] times are logically OR'd. So any date meeting the criteria will cause it to be selected for processing.
The use of all three -g 10-10-2005acw allow the program to simultaneously check and evaluate all three dates.
Caution should be exercised in using all three dates, as in most cases, almost every file may fit the criteria.
-L + #: -L 2000
--lessthan=#:
--smaller=#: Where the # is replaced by a number indicating, list all files less than # bytes in size.
(md5 -L 100000) [LESSTHAN]=100000
-G + #: -G 2000
--bigger=#:
--greater=#: Where the # is replaced by a number indicating, list all files greater/bigger than # bytes in size. You can
use a -GL pair to bracket file sizes.
(md5 -G 10000 -L 100000), greater than 10K, less than 100K bytes. No commas please.
[GREATER]=10000
-P Pause after every 20 lines is default. Adjust number of lines using (=nn), (ie: -P=45). ini format:
PAUSE=[ON|OFF|nn]
--pause[=nn]: Pause every 20 lines default, or adjust to nn lines for larger screens, --pause=65.
-d “delimeter”: replace “delimeter” with a delimeter (typically a pipe ‘ |’ ) within double quotes with which to delimet fields. If the delimeter is not printable, use its decimal ascii value but don’t place it it quotes. (-d “|”). The delimeter is used and highly recommended if you are going to import the output file into a spreadsheet. I know of no spreadsheet or data base program that fails to handle the pipe delimeter correctly. While .csv is often misunderstood by spreadsheets. [DELIMETER]=|
-v: Silent run. NO VERBOSE. Do not print normal column headings above numbers. This provides cleaner screen output for redirection to a file. This can also be accomplished by settting an environment variable called silent to ON. (set SILENT=ON). The SILENT environment variable is used by crckit also.
-U: NO 'U'pper case. This converts all the hex values in the md5 field to lower case values. Thus ABCDEF would be abcdef.
-D xx: This is the standard default format of the -D option. It will start processing the file xx bytes from the beginning. The xx offset is counted from 1. It then processes the rest of the file. If you need to process only a portion of the file, use the modified version of the -D option. (see next option).
-D xx[[,XX[oc]]: supercedes the basic -D option. This option takes a lot of practice.
Use this option to process only a part of a file.
This option will start processing the file at the xx byte of the file,
and process this many bytes of the file, or; with the proper modifier (c) process to the
xx byte plus XX bytes.
The xx value counts from byte 1, -D 1,xx (xx=process this many)
To use this modified xx,XX option, the format must have the comma (,) followed by another
value, with an optional alpha modifier. The XX value defaults to the ending byte that
should be processed to. The default modifier for this is letter o.
If you wish to have the program count for you, you can use the 'c' modifier which means "count" this many characters from the beginning value entered. The xx,XX format is required. The [co] modifiers are optional. Practice makes perfect.
A sample would be:
--MATCH[MD5|SHA|160|256|384|512][01]=filename_containing_values_to_match:
--MATCHMD5=filename
--MATCH256=filename256_values_etc.
Depending on the modifier used with --MATCH, that type of calculation will be used to
match the values.
SO, the program will match MD5 hashes, (SHA or 160), 256, 384, 512 will cause the appropriate
calculation to be made and "hopefully" the matching file contains properly formatted values
to match. Only one match type is allowed per run.
The =filenametomatch is always required. The (=)equal sign is part of the syntax.
(This --MATCHxxx option has a number of permutations..)
The user provides the filename of the file that contains the hash/SHA values to compare against.
The file MUST be of a fixed length record, one record per line,
32+CR/LF = 34 for MD5 40+CR/LF = 42 for SHA1/160 64+CR/LF = 66 for SHA256 96+CR/LF = 98 for SHA384 128+CR/LF = 130 for SHA512
it MUST be sorted, and it must be CR/LF delimeted/terminate. NO BLANK LINES at end of file. If you can't supply this type of fixed length file, maybe you shouldn't be using this program.
In other words the file must contain ONLY fixed length values of the appropriate hash/SHA items.
If it is NOT sorted, or not fixed length of the proper length for the MD5/SHA,
the comparisons WILL fail. Versions after 3/12/2012 attempt to perform
an internal sort check of this file to make sure it is properly sorted.
If the --MATCHxxx=filename option is used, all the files information is printed, and the results (MATCH, NO_MATCH) is also displayed.
file1.ext 2ABC207F114B331B0A61B2CE31FBBBB8 NO_MATCH file2.ext AFFFFA55CDAD77E07CAA5E1E61767950 MATCH
If the 0 is added to the keyword MATCHxxx0, as --MATCH2560=...., then the output will contain only those files whose hash DO NOT MATCH the MD5's in the reference file. An output file MUST be provided, output to the screen will not accomplish the proper results.
If the 1 is added to the keyword MATCH2561, as --MATCH2561=...., then the output will contain only those files whose hash DO MATCH the MD5's in the reference file. An output file MUST be provided, output to the screen will not accomplish the proper results.
Sample:--source=listfilename: Provide a list of files to hash in the file identified by the name: listfilename. One filename per line. The filename must contain the complete path of the file to hash. The program reads the text file one line at a time and processes that file. There should be a blank line at the end to indicate no more files to process.
C:>md5 C:>md5 -p C:\top_level_path C:>md5 filename(s) C:>md5 -r C:>md5 -256 C:>md5 -256 --MATCH256=fileof_sorted_hashes
Sample output. (if the -r option was used, the entire path would be shown )
OPTIONS.obj F057CBF3F765F30B0CA8C3DFBBFC8BA0 RECURSE.obj A16C61DD74DAE55241909D6B1604929A FIXNAME.obj AB4C84E456F6293749AA5A4FA7EFF9A2
C:>md5 --MATCHMD5=reference_md5s -o outputfile
C:>md5 --MATCHMD51=reference_md5s -o matched_outputfile
C:>md5 --MATCHMD50=reference_md5s -o no_matched_outputfile
Sample output. (if the --MATCHxxx was used without the 0 or 1 modifier,)
OPTIONS.obj F057CBF3F765F30B0CA8C3DFBBFC8BA0 NO_MATCH RECURSE.obj A16C61DD74DAE55241909D6B1604929A MATCH FIXNAME.obj AB4C84E456F6293749AA5A4FA7EFF9A2 NO_MATCH
C:>md5 -256 -o junk
Sample output of -256 option. One space between MD5 and SHA value.
MD5 SHA junk 94A2ED51F8B7255685B85BA2AE36140B D1A9E9E993A6EB1A45FB7A0DC250FE1C2131BD2B
Sample output with -tw option. The size of the output filename has been shortened for display purposes.
Program started Mon Dec 28 13:43:51 1998 GMT, 08:43 EST MD5.exe *.exe -o junk -tw MD5_32.EXE 6CE903B30B410F8A9E6BCF1F05A74864 130760 12/27/1998 16:19w EST MD5.exe 142D15AE29D85406F8A23A843D0B0D73 130760 12/27/1998 16:19w EST Processed 2 files, 261520 bytes: Elapsed: 0 hrs. 0 mins. 0 secs.