MD5

PURPOSE   OPERATION   ITS ABOUT TIME   OPTIONS   COMMAND LINES   RELATED PROGRAMS


Author: Dan Mares, dmares @ maresware . com
Portions Copyright © 1998-2023 by Dan Mares and Mares and Company, LLC
Phone: 678-427-3275
Last Update: 06-14-2024

THIS IS A COMMAND LINE PROGRAM

One liner: Calculates MD5 and SHA's of specified files. Similar to hash.exe but different output format

Virus aficionados read this:
Some (actually only one mainline) virus programs, incorrectly identify the exe as containing a virus. If this is the case, please check the exe with other reliable virus checkers, as this mis-identification is common.

If you are using a 64bit version, be aware that many of the newer more fine tuned options may not be available.

Sample Maresware Batches  an executable with data that demonstrates various Maresware software. Download and run the appropriate _0X_MD5 batch for md5 demo.


top

PURPOSE

This program has been updated to work with long (>255) paths, and alternate data streams. Many similar programs fail with long paths. Test it for yourself.

NOTE: for the purposes of this help text, any reference to MD5 or HASH should also be considered to mean any of the SHA hashing algorithms. Such as SHA1, SHA256, SHA384, SHA512. Unless specicially noted otherwise.

The MD5 program is designed to be used for forensic purposes to verify file integrity, and calculate hash values.

The MD5 program is very similar to the HASH program. It can perform the same calculations as the HASH program but provides a slightly different output format.

The MD5 program is designed to calculate the MD5 (128 bit) hash and SHA values of a file. It uses the MD5 algorithm as described by R. Rivest in an article published in 1992. The article is available on the internet by searching the Web on MD5.

It is suggested that you check the registry for "last access date update" key. A simple quick run of the program will display a message if the last access is on like. Last Access Date UPDATE is: turned ON. You may wish to adjust the registry setting depending on your situation. If it is your own machine, you might want to reset the registry last access key. If it is the source of evidence, you may want to use the -R (reset date) option to make sure the original access date of the file(s) is not altered. You don't want to have to explain why your program altered evidentiary dates. Do you?

MD5 will display a message at the end of the run which indicates whether the last access date update of the OS is either turned on or off. It is this authors opinion, that forensic processes (or programs) that are used in forensic environments, should not in any way alter evidence. By allowing the operating system to alter file dates, one may be leaving yourself, or your software open to evidentiary/alteration challenges. For this reason, the MD5 program is one which would normally open and process a file, the -R option (in most cases) will attempt to reset the last access date/time to its original after the file has been processed. The ini file line: RESET=ON may also be used to tell the program to attempt a time reset.

The option (choose one) --ONLYMD5, --ONLY_MD5, --MD5_ONLY, (same as --AHASH) which is designed to produce in the output file ONLY the MD5 values. This output file format is designed to be used with the forensic analysis programs requiring ONLY a single field (the MD5 value) when they are importing a reference hash set. as of 20200519 testing of some of the more popularly suggested programs that produce "text" md5 values for import into various forensic software, reveals that some or all of those "recommended" fall short of producing complete lists.

The following is a quote from an article found online. “The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest.”

What this means is that no two files will ever produce the same “fingerprint” unless they are identicle. There are collisions possible, but only with severe intent and computing power. I have tested the NSRL data set of well over 100 million records, and found no collisions.

Although by todays standards, the MD5 algorithm is not as strong as the SHA values, the MD5 is still used for verification by many programs. Less face it. It would take a significant amount of work and computing power to intentionally beat an MD5.

CERT at Carnegie Mellon University uses an MD5 signature to validate sensitive data sent out over the Internet. When information is distributed with the MD5 signature value, the MD5 program can be used to validate the integrity of the data.

MD5 can be used to produce an MD5 hash of a file. The output produced is identicle to that produced by the UNIX version of the MD5 and md5sum programs available at many internet sites.

This program (MD5) can also be used to find matches or mismatches of MD5's supplied by the user in a sorted file of MD5's. This type of match can most efficiently be used when matching the NSRL MD5's, or a reference set of MD5's that the user has generated. Many current anti-virus programs are now using the SHA values. So as of March 2018, the --MATCH option has been updated to incorporate matching on any of the SHA values the user has available. (see the --MATCH option in the options section.)

Regardless of which additional SHA value is requested to be calcuated, the MD5 is "ALWAYS" calculated and provided as the first hash value in the output record.

command used (notice only the -s for SHA1 (SHA160) option provide:
md5 -s
   NAME                MD5                            SHA1
filename.ext  6E94A1FCAE53CDD6701B81801ECFE16A  5362D9C7A12534B0419DB506FD12AF4E414EA48C

SHA-1: also referenced by SHA160 for this program.

The current version of MD5 also implements the NIST recognized SHA-1, 160BIT (Secure Hash Algorithm). Use of the -s option will produce the SHA1 calculation in addition to the MD5. When referencing the SHA160 in the --MATCH option use the keyword: --MATCH160=filename

More information in the SHA algorithm and certification can be found at http://csrc.ncsl.nist.gov/cryptval and http: //csrc.nist.gov/cryptval/140-1/1401labs.htm

The use of the upper case -B (Both) option will produce both the MD5 and SHA of a file. It is a time consuming option. For a single file, you might also try the sha_verify program found in the FTP site at dmares.com. Login as anonymous and look in the NT_32 directory.

SHA-2:

The SHA2 versions of the Secure Hash Algorithm have been also implemented. There are three versions of the SHA2. There are 256, 384 and 512 bit versions. These options are appropriately implemented as the following command line options: -256, -384, and -512. When using these options, the -s option may also be used, to get a full range of SHA values. A little bit of overkill. And an awfully long output line.

SHA2 Copyright:

The SHA2 code implemented in this program was modified from code written by:

AUTHOR: Aaron D. Gifford <me@aarongifford.com>
Copyright (c) 2000-2001, Aaron D. Gifford All rights reserved.

Redistribution and use in source and binary forms, with or without modification are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


top

OPERATION

Program default is to perform MD5 calculation on all the files in the current directory.

It produces a fixed length output of the filename, MD5 and filesize. No delimeters are used by default. Just fixed record length with space delimeted.
OPTIONS.obj     F057CBF3F765F30B0CA8C3DFBBFC8BA0     12345

The filename is truncated to approximagely 40 characters followed by the MD5 value. Thus making the output record a fixed length value. If additional hash calculations are needed then the appropriate options (-s, -256, -384, -512) are added, and those hash values are added to the output record line. With appropriate options (-r), recursion can occur, in addition to including any or all of the three file times -t[cwa]. Matching of suspect hash values can also be accomplished with the use of the --MATCH option. Many other output record modifications are available thru the use of appropriate options. Some of which are mutually exclusive and should be tested.

When the user supplies a filename(s) on the command line, the MD5 program calculates the hash value and prints it on the screen. The output is simple and can be redirected (>outputfile), However, the -o outputfilename option is preferred.

command line:  C:>   md5    options.obj
output:
OPTIONS.obj     F057CBF3F765F30B0CA8C3DFBBFC8BA0     12345 

Default output ONLY includes the hash output. If no recursion (default operation) is chosen then only the current directory is searched for the file and only the filename is provided. If recursion (-r option) is chosen, then the entire (truncated) path is provided along with the calculated value(s). To obtain wider more inclusive paths, use the -w xx or -V option.

output, path/filename,           MD5,           filesize, (no dates are displayed in the default):
command line:  C:>   md5 -r options.obj 
c:\folder\OPTIONS.obj     F057CBF3F765F30B0CA8C3DFBBFC8BA0     12345 

If any options are used that would request the inclusion of file times (all three (cwa) can be selected -tc, -tw, -ta -t3), then the output is substantially increased to include file size, and times. These outputs can grow depending on the length of the output filename path field.

command line:  C:>   md5   options.obj  -tw
output:
access_date.obj   0C288A5BF6CE265FA1619936D1F2E2D2   20677 03/30/2018 14:48:37w EST

During June 2020, (when DST is in effect) I was playing with file dates that were both referencing January 01, 2020, and June 01, 2020. Obviously these two dates were in different GMT offset time settings, one was Eastern 4 hours, the other 5 hours off GMT. One was Daylight Saving Time, and the other was Standard time. A command prompt of DIR on the January 01, 2020 file showed a time of 08:34:

     01/01/2020  08:34 AM          0 ZERO_BYTE.TXT
Notice the time referenced 08:34 AM. However, when I looked at the time using Windows Explorer the time was displayed as: 07:34 AM. An hour difference. Mr Watson, something was amiss. I realized that because I was operating during June which was a different GMT offset than January (4 as opposed to 5 in January), the DIR command wasn't properly compensating for the 1 hour difference between DST and Standard times. The current (older version of md5) was not adjusting for the time difference either, just as DIR wasn't adjusting. So, I made a modification (fixed the operational challenge) in MD5 to properly adjust for the one hour GMT offset difference. Now (as of 6-6-2023) the version of MD5 properly displays the local times. If you use the --GMT or --zulu options, the GMT time has always been displayed properly. And as a seasoned forensicator (thats you, I think), you probably should always use GMT times, for consistancy.

On Oct. 15, 2021 I added two modification, I'm calling them the Al Johnson modifications because they were added during discussions with Al Johnson, ex-fed. not fed-ex. The options are the --ONLYMD5 and -V combination. This combination does a number of things. But I want you to read about them below. Otherwise it would spoil the surprise. See the options below.


top

OPTIONS

This program is INI file compatable.

Most options should be preceded by a (-) minus sign. Some can be grouped together, and others where specified MUST be grouped without a space. The options are grouped where approriate.

Some options are mutually exclusive of each other. It is suggested that the user test each option group before actually running in a production mode.


Cliff Notes Option reference

-p + path(s):     path(s) to search,            -p c:\windows  f:\evidence
-f + filespec:    files to search,              -f *.jpg  *.md4  *.gif
-x + filespec:    e(x)clude these file types,   -x  *.exe *.dll 
-r:               recurse the tree (default NO recurse)
--recurse:        recurse the tree. (default NO recurse) 
-oO + output_filename: (upper case == append -a),  -o c:\cases\MD5_values.txt
--margin=xx:      Add xx spaces to beginning of line for easier read.

-a:               append to output filename
-d "delimeter":   use "delimeter" between output fields, pipe delimeter,   -d "|"
-w #:             use # as max width of output filename field,    -w  160
-V:               'V'ariable filename width in output.             -V
--nameafter:      Place filename at end of output record.  ABCD1234  filename.txt
-1 + log_filename:  create logfile,                   -1 c:\cases\run_log.txt
-P, -P[=nn]:      Pause after every 20 lines of screen output

-S:               DO NOT process alternate data stream
--AONLY:          ONLY MD5 is output.
--ONLYMD5:        ONLY MD5 is output.
--ONLY_MD5:       ONLY MD5 is output.
--MD5_ONLY:       ONLY MD5 is output.
--MD5ONLY:        ONLY MD5 is output.
--ONLYMD5 -V:     (combination) Make the MD5 output a variable length output with the path.
-B:               include both MD5 and SHA (160) of a file.
-s:               include 160 bit SHA in output. MD5 is ALWAYS produced.
-256:             include 256 bit SHA2 calculation. 
-384:             include 384 bit SHA2 calculation. 
-512:             include 512 bit SHA2 calculation.
-c:               include  32 bit CRC calculation for you old timers.

-g + #:           files greater than # days old.     -g      100    (days)
--older=#:        files greater than # days old.     --older 100
-g + mm-dd-yyyy[acw]: files before this date, -g 10-30-2012
-l + #:           files less than # days old (ell, not one),  -l 100  (days)
--newer=#:        files less than # days old,                 --newer=100
-l + mm-dd-yyyy[acw]:  files newer than this date,     -l 10-30-2012
-t[acw3]:         show this/these times. Access, Create, M(w)modify, all 3, -ta 10-20-2019
-T[acw3]:         show this/these times. Access, Create, M(w)modify, all 3, -Ta 2019-10-30
-z:               Display time in ‘Z’ULU GMT,  10-30-2012 GMT 
-R:               Reset (access) file times to original 
--reset           Reset (access) file times. May or may not work, depending on the OS being used.

-L + #:           files less than this size      -L 10000   (bytes)
--lessthan=#:     files less than this size      --lessthan=10000
--smaller=#:      files less than this size      --smaller=10000
-G + #:           files greater than this size   -G 10000    bytes)
--bigger=#:       files greater than this size   --bigger=10000
--greater=#:      files greater than this size   --greater=100000
-v:               NO VERBOSE. Silent run. show only data output. no admin stuff
-U:               NO 'U'pper case. MD5 values shown as lower case  (a1b2c3d4)
-D xx,mm:         Start processing file at byte xx (from 1), this many bytes  -D 1,512

War and Peace Option reference

items displayed within [SQUARE BRACKETS] are ini file settings. ie: [RECURSE=ON|OFF], would look like: RECURSE=ON in the ini file.

Some options are mutually exclusive. So test first, last, and always.

-p + path(s):  If more than one directory is needed to be looked at, then add the paths here as appropriate. (md5   -p c:\windows    d:\work)    [PATH]=path

-f + filespec:  If more than one file type is needed, add them here. (md5   -f   *.c   *.obj   *.dll)   [FILES]=filetype

If these options are used, the program builds a matrix of paths and file types. It searches all the requested directories for all the requested file types. Thus giving a total of all the files in all the paths requested. These options are added to any default command line provided. (C:> md5    c:\work\*.c    -f    *.dll    -p    d:\windows)

-x+filespec:  e(x)clude these file types from listing. (same format as -f option) (md5 -x thesefiles.txt) [EXCLUDE]=filetype

-oO + filename:  Output file name. Place the output to a filename. If uppercase ‘O’ then existing output is appended to.
    (md5 -o overwritten_output.txt) (md5 -O appended_output.txt) [OUTPUT]=filename


-oO + [OUTPUTNAME]YY[YYMMDDhhmmss][=:][OUTPUTNAME][Gg]:     This format allows the output file to be easily be identified as to when it was created. The addition of the YY.... format causes the output file to be named with current date/time based on the mask used, and a .txt extension is added unless user includes extention in the mask name. If this format is used, the -a append option is automatic and the -v no verbose is also automatic.

This option has a number of variations. Read and test profusely. You do know how to do that, don't you.

The basic idea is to create an output filename with the date and time (depending on which YYYYMM.. etc) the program was run. The user can also add a textual filename either preceeding or after the generated date-time output name. The format for this output filename creation is convoluted.

If you use (include) the preceeding [NAME] text then the name provided is "prepended" to the date string created. (see below for the trailing filename format). With specific additions of an actual NAME the output name can be modified to have a leading textual name.

If the trailing "filename format" (not recommened without extreme testing) is included as part of the output name, you must use either the "=" or ":" delimeter in the trailing mask or else it is ignored. The minimum is that the YY be the first item. Then you can add additional modifiers to refine the output name. This option is especially helpful when you are creating the catalogs with batch scripts run periodically. Then depending on the mask used, the output filename will reference the date and time of the run. The modifiers are case dependentant, and add the following:

[OUTPUTFILENAMEROOT] testrun
YY = two digit year, 12, or
YYYY = four digit year, 2012,
MM = two digit month, 07,
DD = two digit day, 31,
hh = two digit hour, 22,      local or GMT depending on the terminating G. see below.
mm = two digit minute, 30,
ss = two digit seconds, 15, and optional GMT indicator
G or g = convert hours to GMT hours
[=:]filename text as the filename (adds the literal to the filename). Prepend FILENAME-YYMMDD... is preferred over this format.


The preferred filename format is to use the FILENAME before the date time, so an option of
-o NAMEYYYYMMDDHHmmss or -o NAMEYYYYMMDDHHmmssG yields with or without +5 GMT conversion
NAME20231111_101313.txt    or   NAME20231111_151343.txt

-o YYMMDDhhmmss or YYMMDDhhmmss without a textual filename would result in,
231111_101548.txt
Notice that after the 2 digit year, YYMMDD date, there is an embedded underscore before the time. Sorry, this is the way it is. (MD5 -o YYMMDD )

-o YYYYMMDDhhmmss yields 4 digit YYYY
20231111_101647.txt

-o YYYYMMDDhhmmss=OUTNAME or YYYYMMDDhhmmss:OUTNAME yields output filename of
20231111_101921_NAME.txt

--margin=xx:   Insert xx spaces at beginning of the line for easier read.
   |SOURCE2.md5 089524CF45D6E42EAF1396E99F3E6D9F
becomes this with --margin=5, Pipe | added to show left margin. not really part of output.
   |          SOURCE2.md5 089524CF45D6E42EAF1396E99F3E6D9F

--PNAME:   (minus minus - - PNAME) If using the above YY... format, you can also prepend to the output filename the actual name of the program being run. So that if you use --PNAME when running MD5, the name MD5 will preceed the filename such as:
MD5 -o YYYYMMDDhhmmss=OUTNAME --PNAME yields program name before, and filename "OUTNAME" after
MD5_20231111_102025_OUTNAME.txt

There are probably other variations of the date inclusion. But I'm tired of adding them.


-a:  append output to filename provided in -o option. Serves same purpose as using an upper case O. (md5 -a appended_output.txt)) [APPEND]=[ON|OFF]

-1 + log_filename:  (that's a one, not ell) The filename here is a file which will contain accounting/log information about the run. It is always appended to, and contains the command line, and statistics about how many files and time of run. The file can later be used as a batch file for duplicating the runs. The ACCT environment variable can also be set. (SET ACCT=logfilename). Or use the .INI option [ACCT=filename] The order of priority is: Environment, INI file, Command Line option. To explicity turn off use a +1. (md5    -1 logfilename.txt)

-R:     (upper case R). Reset last access date filetime to original. (md5 -R)
--reset  Reset file times. May or may not work, depending on the OS being used.

-r:       (lower case r), recurse thru the file system. Default is NOT recurse.
--recurse:  recurse the directory tree. MD5 default is to NOT recurse. (md5    c:\tmp -r)

-S:  (upper case S) If the file system is NTFS, this option causes Alternate Data Stream files to NOT be processed also. The default is to process ADS files where possible.

-w #:  Change the default width of the filename from 38 to whatever value you wish. If you have long filenames, or use the -r recurse option which obviously will increase path size, this may be necessary to accomodate the entire name. If a filename longer than 38 is used, the output tends to be more than one line long. Note: If the special sequence, (-w 1, thats a one not ell(L)) is used then the output becomes a variable length record with only 1 space between the filename and the hash value. (md5 -o output -w 150) increases filename width to a fixed 150 characters. Alternative is -V (variable). [WIDTH]=50

-V:   'V'ariable name output. Make output line name a variable length.
        Obviously this is best used with the output option. Because output line is now variable length, it defaults to inserting a pipe (|) delimeter between fields. (md5 -V -o output.txt)
      c:\path1\path2\etc\samplemd5.txt| FF3D051CC3D562959C41C411137FCA15|     204|

--nameafter:  Place the filename at the end of the record. This still truncates the name field, unless the -w xx option is also included. (md5 --nameafter)
      2CCD06394CA3394286BFEBCC0A73F634     1040     D:\...\md5\Release\sample512

- -AONLY:
- -ONLYMD5, :- -ONLY_MD5, - -MD5ONLY,- -MD5_ONLY,
   choose only one version. (Thats minus minus -   -)  Display/Output ONLY the MD5 on each line. This output format (one MD5 per line) may be needed when you wish to import the MD5 values to a forensic software package requiring a single item per record. Since this is one of those mutually exclusive options, only an output option -o will work with it, otherwise output goes to the screen: DAH!
Like: (md5 --ONLYMD5 -o MD5_values.out)

D706EAF7269177D4C005DBC5F9783E86
BED64C89F28EED55BBA32D6894CEE55D
2C0E695071AA87AA0EBD34C6750E1968
B061D7EE4D9D74909124D061BBD6C909
9104799A5142FAC46D227734AC6B5296

SPECIAL Al Johnson combo     no, its not a special at the local diner.

--ONLYMD5 -V: This combination causes the MD5 output record to be reformed to the following syntax:

MD5-HASH                        |   filesize | fullpath_filename
C15DE4C7BD8BC9E2065C95530C8E055D|       12889|\\?\D:\WORK\UNICODE\md5\Release\D1\CYRILLIC_NAMES\Cyrillic.7z|
Use this option combo (with appropriate other options) to generate a variable length record with the hash as the first item on the line. Then you can run the output thru the hashcmpV program to compare outputs of two of these md5 runs.
NOTE: Only the md5 hash value is used/allowed with this combo, and that not all the other options are allowed with these two items. Especially the time -t[acw] options are not implemented here.


Hash calculation options: (-s -B -c -256 -384 -512 ) Default is the MD5 128 bit calculation is ALWAYS done.

-s:  produce the 160 bit SHA output. MD5 is ALWAYS produced.

-B:  produce the MD5 and SHA (160) of a file. Same output as the -s option.

-256:  produce the 256 bit SHA2 calculation. (see note below)

-384:produce the 384 bit SHA2 calculation. (see note below)

-512:  produce the 512 bit SHA2 calculation. (see note below)

-c:  produce a 32 bit CRC output in addition to the 128 bit MD5 hash. However, the CRC of ADS is not done, and no --MATCHxxx capability is available for CRC's. CRC's are antiquated. (see note below)

command line:
md5 -s -256
produces MD5, SHA1(160) and SHA256 values.

-[tT][acw3]:  Show the file time as last ‘a’ccessed, last ‘w’ritten, ‘c’reated, or show all ‘3’. No spaces between the -t and the modifier. ( -tc or -t3 ) Default is the ‘w’rite, which is identicle to what DIR or Explorer displays. [TIME]=[A|C|W|3], [ALLTIMES]=]ON|OFF]. If the 't' is uppercase 'T' the file dates are printed in YYYYMMDD format for easier sorting. HH:MM:SS are always included. Often used in conjunction with the -l (lower case ell) and -g options to bracket file times.

-z:Display time in ‘Z’ULU GMT format calculated from current computer offset. The letters GMT will be at the end of the output line indicating such. Use GMT to get relative references especially when dealing with 2 or more time zones. (-z) [ZULU]=[ON|OFF]

-g + #:      -g 150 (days)
--older=#:    Where the # is replaced by a number indicating: list all files ‘g’reater than # days old. You can use a -gl pair to bracket file ages. If the --greater=# is used, the equal (=) sign is mandatory format. (md5 -g 100), greater than 100 days old: [OLDER]=50

-l + #:     -l 150 (days), thats an (ell, not one)
--newer=#:   Where the # is replaced by a number indicating: list all files ‘l’ess than # days old. You can use a -gl pair to bracket file ages. To get todays files, use (md5    -l 10) [NEWER]=10

-g + mm-dd-yyyy[acw]
Process only those files (g)reater (older) than this mm-dd-yyyy date. The date MUST be in the form mm-dd-yyyy. It MUST have two digit month and days (leading 0 if necessary), and it MUST have a 4 digit year. The date calculation is calculated as of midnite on the date given for the -g option of mm-dd-yyyy. For this reason, the day provided is NOT included in the calculation. Ie. if you entered -g 01-01-2006 you would only process dates PRIOR to 1/1/2006. This means all of 2005 and before. See below for the [acw] meanings.

-l + mm-dd-yyyy[acw]:  (that's and ell, not a one). Process only those files (l)ess than (newer) than this mm-dd-yyyy date. The date MUST be in the form mm-dd-yyyy. It MUST have two digit month and days (leading 0 if necessary), and it MUST have a 4 digit year. The date calculation is calculated as of midnite on the date given for the -l option of mm-dd-yyyy. For this reason, the day provided IS included in the calculation. Ie. if you entered -l 01-01-2006 you would process all of 2006 to the current date.

Special note for the [acw] modifier part of the option.

If no 'acw' modifier is used, the default time used to check the age is the current write or last modification time.

You can however, alter which time is used in the age calculation. To do this, add any or all of the acw indicators. For instance, if you wanted the date checking to respond to the access date, you would add an 'a'.    ie: -l 10-10-2005a would show all files accessed on or after 10-10-2005.

If you added more letters, to the date, ie:   -g 10-10-2005cw    you would get all files with EITHER an access or a last modified date older than 10-10-2005. The added [acw] times are logically OR'd. So any date meeting the criteria will cause it to be selected for processing.

The use of all three -g 10-10-2005acw allow the program to simultaneously check and evaluate all three dates.

Caution should be exercised in using all three dates, as in most cases, almost every file may fit the criteria.

-L + #:    -L 2000
--lessthan=#:
--smaller=#:  Where the # is replaced by a number indicating, list all files less than # bytes in size.
    (md5 -L 100000) [LESSTHAN]=100000

-G + #:     -G 2000
--bigger=#:
--greater=#:  Where the # is replaced by a number indicating, list all files greater/bigger than # bytes in size. You can use a -GL pair to bracket file sizes.
    (md5 -G 10000 -L 100000), greater than 10K, less than 100K bytes. No commas please. [GREATER]=10000

-P     Pause after every 20 lines is default. Adjust number of lines using (=nn), (ie: -P=45). ini format: PAUSE=[ON|OFF|nn]
--pause[=nn]:   Pause every 20 lines default, or adjust to nn lines for larger screens, --pause=65.

-d “delimeter”:  replace “delimeter” with a delimeter (typically a pipe ‘ |’ ) within double quotes with which to delimet fields. If the delimeter is not printable, use its decimal ascii value but don’t place it it quotes. (-d “|”). The delimeter is used and highly recommended if you are going to import the output file into a spreadsheet. I know of no spreadsheet or data base program that fails to handle the pipe delimeter correctly. While .csv is often misunderstood by spreadsheets. [DELIMETER]=|

-v:  Silent run. NO VERBOSE. Do not print normal column headings above numbers. This provides cleaner screen output for redirection to a file. This can also be accomplished by settting an environment variable called silent to ON. (set SILENT=ON). The SILENT environment variable is used by crckit also.

-U:  NO 'U'pper case. This converts all the hex values in the md5 field to lower case values. Thus ABCDEF would be abcdef.

-D xx: This is the standard default format of the -D option. It will start processing the file xx bytes from the beginning. The xx offset is counted from 1. It then processes the rest of the file. If you need to process only a portion of the file, use the modified version of the -D option. (see next option).

-D xx[[,XX[oc]]: supercedes the basic -D option. This option takes a lot of practice.
Use this option to process only a part of a file. This option will start processing the file at the xx byte of the file, and process this many bytes of the file, or; with the proper modifier (c) process to the xx byte plus XX bytes.
The xx value counts from byte 1, -D 1,xx (xx=process this many)

To use this modified xx,XX option, the format must have the comma (,) followed by another value, with an optional alpha modifier. The XX value defaults to the ending byte that should be processed to. The default modifier for this is letter o.

If you wish to have the program count for you, you can use the 'c' modifier which means "count" this many characters from the beginning value entered. The xx,XX format is required. The [co] modifiers are optional. Practice makes perfect.

A sample would be:


top

MATCH

--MATCH     --MATCH     --MATCH    --MATCH

--MATCH[MD5|SHA|160|256|384|512][01]=filename_containing_values_to_match:

--MATCHMD5=filename
--MATCH256=filename256_values_etc.

Depending on the modifier used with --MATCH, that type of calculation will be used to match the values.
SO, the program will match MD5 hashes, (SHA or 160), 256, 384, 512 will cause the appropriate calculation to be made and "hopefully" the matching file contains properly formatted values to match. Only one match type is allowed per run.

The =filenametomatch   is always required. The (=)equal sign is part of the syntax.

(This --MATCHxxx option has a number of permutations..)

The user provides the filename of the file that contains the hash/SHA values to compare against.

The file MUST be of a fixed length record, one record per line,

 32+CR/LF = 34  for MD5
 40+CR/LF = 42  for SHA1/160
 64+CR/LF = 66  for SHA256
 96+CR/LF = 98  for SHA384
128+CR/LF = 130 for SHA512

it MUST be sorted, and it must be CR/LF delimeted/terminate. NO BLANK LINES at end of file. If you can't supply this type of fixed length file, maybe you shouldn't be using this program.

In other words the file must contain ONLY fixed length values of the appropriate hash/SHA items.
If it is NOT sorted, or not fixed length of the proper length for the MD5/SHA, the comparisons WILL fail. Versions after 3/12/2012 attempt to perform an internal sort check of this file to make sure it is properly sorted.

If the --MATCHxxx=filename option is used, all the files information is printed, and the results (MATCH, NO_MATCH) is also displayed.


file1.ext   2ABC207F114B331B0A61B2CE31FBBBB8 NO_MATCH
file2.ext   AFFFFA55CDAD77E07CAA5E1E61767950    MATCH

If the 0 is added to the keyword MATCHxxx0, as --MATCH2560=...., then the output will contain only those files whose hash DO NOT MATCH the MD5's in the reference file. An output file MUST be provided, output to the screen will not accomplish the proper results.

If the 1 is added to the keyword MATCH2561, as --MATCH2561=...., then the output will contain only those files whose hash DO MATCH the MD5's in the reference file. An output file MUST be provided, output to the screen will not accomplish the proper results.

Sample:
0BC5E23ABA63BC32F55D873C6FB7E85D
332F63DDAF26C8FEA1950BCE3C4EBF66
DE410766BCF1EC84A41AAFC18046E943

--source=listfilename:  Provide a list of files to hash in the file identified by the name: listfilename. One filename per line. The filename must contain the complete path of the file to hash. The program reads the text file one line at a time and processes that file. There should be a blank line at the end to indicate no more files to process.


top

COMMAND LINES

Download a  zip file (md5_examples.zip) containing samples of command lines. The zip file also contains sample input files to use with the --MATCH option. It DOES NOT contain the md5.exe. That should be downloaded separately.
   C:>md5
   C:>md5   -p  C:\top_level_path
   C:>md5   filename(s) 
   C:>md5   -r 
   C:>md5   -256
   C:>md5   -256 --MATCH256=fileof_sorted_hashes
 

Sample output. (if the -r option was used, the entire path would be shown )

OPTIONS.obj              F057CBF3F765F30B0CA8C3DFBBFC8BA0
RECURSE.obj              A16C61DD74DAE55241909D6B1604929A
FIXNAME.obj              AB4C84E456F6293749AA5A4FA7EFF9A2

C:>md5 --MATCHMD5=reference_md5s -o outputfile
C:>md5 --MATCHMD51=reference_md5s -o matched_outputfile
C:>md5 --MATCHMD50=reference_md5s -o no_matched_outputfile

Sample output. (if the --MATCHxxx was used without the 0 or 1 modifier,)

OPTIONS.obj              F057CBF3F765F30B0CA8C3DFBBFC8BA0   NO_MATCH
RECURSE.obj              A16C61DD74DAE55241909D6B1604929A      MATCH
FIXNAME.obj              AB4C84E456F6293749AA5A4FA7EFF9A2   NO_MATCH

C:>md5 -256 -o junk

Sample output of -256 option. One space between MD5 and SHA value.

           MD5                             SHA
junk   94A2ED51F8B7255685B85BA2AE36140B  D1A9E9E993A6EB1A45FB7A0DC250FE1C2131BD2B 

Sample output with -tw option. The size of the output filename has been shortened for display purposes.

Program started Mon Dec 28 13:43:51 1998 GMT, 08:43 EST 

MD5.exe *.exe -o junk -tw 

MD5_32.EXE    6CE903B30B410F8A9E6BCF1F05A74864   130760 12/27/1998 16:19w EST 
MD5.exe       142D15AE29D85406F8A23A843D0B0D73   130760 12/27/1998 16:19w EST 

 Processed 2 files, 261520 bytes:  Elapsed:  0 hrs. 0 mins. 0 secs.


top

RELATED PROGRAMS

CRCKIT

DISKCAT

HASH

top