Pablo Guides

# Course #240: Hashdeep – Digital Forensics and File Integrity

## Section 1: Introduction to Hashdeep

### What is Hashdeep?

Hashdeep is a powerful tool used in digital forensics for calculating and verifying file hashes, which helps in identifying files and maintaining file integrity. In the world of cybersecurity and penetration testing, maintaining the integrity of files is essential, whether you are auditing file systems, checking for unauthorized changes, or verifying downloads. Hashdeep supports a variety of hash algorithms, including MD5, SHA-1, and SHA-256, making it a versatile choice for forensic analysis.

### Installation and Configuration on Kali Linux

Kali Linux comes with a wide range of pre-installed tools, including Hashdeep. However, if you find that Hashdeep is not installed or you need to update it to the latest version, follow these steps:

**Step 1: Update your package list**

Before installing new software, it’s a good practice to update the package repository. Open your terminal and run:

"`bash
sudo apt update
"`

**Step 2: Install Hashdeep**

To install Hashdeep, execute the command:

"`bash
sudo apt install hashdeep
"`

**Step 3: Verify Installation**

Once the installation process is complete, you can check if Hashdeep is installed successfully by running:

"`bash
hashdeep -v
"`

This command should return the version of Hashdeep, confirming that it is ready for use.

### Basic Configuration

Hashdeep does not require extensive configuration; however, it is useful to know how to set up basic options to suit your needs:

1. **Setting Up Your Working Directory:** It's a good practice to work within a dedicated directory for your forensic analysis. This helps in keeping your results organized.

2. **Choosing Hash Algorithms:** Hashdeep supports multiple hash algorithms. You can specify which ones to use with the `-a` option followed by the algorithms you want to utilize. For example, to use MD5 and SHA-1, your command would look like:

"`bash
hashdeep -a md5,sha1
"`

3. **Output Format:** You can customize the output format of your hash results. Hashdeep supports several output formats, including simple and verbose. To specify the output format, use the `-f` option followed by the desired format type.

### Step-by-Step Usage

#### Hashing Files

One of the most common uses of Hashdeep is calculating hashes for files. Here’s how to do it:

**Step 1: Navigate to Your Directory**

Use the `cd` command to navigate to the directory containing the files you want to hash.

"`bash
cd /path/to/your/directory
"`

**Step 2: Calculate Hashes**

To calculate the hashes of all files in the directory, use the command:

"`bash
hashdeep -r .
"`

The `-r` option stands for “recursive,” and it tells Hashdeep to scan all files in the directory and its subdirectories. The output will display the hash values of all files scanned.

#### Verify Hashes Against a Known Good List

Hashdeep can also verify files against a known hash list, an essential part of maintaining file integrity. This is particularly important in a forensic investigation.

**Step 1: Create a Hash List**

First, you need to create a hash list for the files you want to verify. Use Hashdeep to generate this list:

"`bash
hashdeep -r -a md5,sha1 -o f -w known_hashes.txt .
"`

Here, `-o f` specifies the output format as a file list, and `-w` writes the output to `known_hashes.txt`.

**Step 2: Verify Files**

To verify files against the hash list:

"`bash
hashdeep -a md5,sha1 -r -v -k known_hashes.txt .
"`

The `-k` option allows you to specify the hash file to verify against, and `-v` provides verbose output detailing any discrepancies.

### Real-World Use Cases

1. **Incident Response:** In the event of a security breach, Hashdeep helps investigators identify unauthorized changes to files, thus aiding in incident response and recovery efforts.

2. **Software Integrity Verification:** Hashdeep can verify the integrity of software packages downloaded from the internet, ensuring they have not been altered maliciously.

3. **Digital Forensics Investigations:** Forensic investigators use Hashdeep to analyze disk images, checking for known malicious files or verifying the integrity of evidence.

### Detailed Technical Explanations

In this section, we will delve deeper into the technical aspects of Hashdeep, explaining its underlying principles and features.

#### How Hash Algorithms Work

Hash algorithms convert input data (files, texts) into a fixed-size string of characters, which is typically a hexadecimal representation of the hash value. Different hash algorithms have varying lengths and properties:

– **MD5:** Produces a 128-bit hash value, commonly represented as a 32-character hexadecimal number. However, MD5 is considered weak due to vulnerabilities leading to hash collisions.

– **SHA-1:** Produces a 160-bit hash value and is more secure than MD5. However, it is also prone to collisions and is no longer recommended for high-security applications.

– **SHA-256:** Part of the SHA-2 family, it produces a 256-bit hash value and is widely used for secure applications. It is currently considered secure against collision attacks.

#### Understanding Output Formats

Hashdeep output can be customized extensively. The output formats include:

– **-o f:** File list output.
– **-o r:** Provides a raw output format.
– **-o v:** Verbose output format includes detailed information regarding the hashing process.

Choosing the correct output format based on your needs is essential, especially during forensic investigations, where clarity is critical.

### External Reference Links

– [Kali Linux Official Documentation](https://www.kali.org/docs/)
– [Hashdeep GitHub Repository](https://github.com/jessek/hashdeep)
– [Understanding Hash Functions – Stanford](https://crypto.stanford.edu/pbc/)

### Code Examples

Here are some additional code examples you might find useful in your work with Hashdeep:

#### Generate Hashes for Specific File Types

To generate hashes only for specific file types, you can use the `find` command in combination with Hashdeep. For example, if you want to hash only `.txt` files:

"`bash
find . -name "*.txt" -exec hashdeep -a md5,sha1 -r {} +
"`

#### Compare Two Directories

To compare two directories and find differences in file integrity:

"`bash
hashdeep -r -k known_hashes.txt /path/to/directory1 /path/to/directory2
"`

This command will tell you if the files in the two directories match the known hashes.

### Conclusion

Hashdeep is an indispensable tool for digital forensics and cybersecurity professionals. With its robust hashing capabilities and versatility, it plays a crucial role in maintaining file integrity and aiding in forensic investigations. Mastery of Hashdeep is essential for anyone serious about effective penetration testing and digital forensic investigations.

—

Made by pablo rotem / פבלו רותם