So, you have begun your incident response and for documentation purposes you need to
document the hashes of files. Or you have imaged some media, perhaps memory. And you
want the hashes of the image files.
In this post, I will outline a few ways to do so with some tools native to windows and some
non-native tools.
___________________________________________________________________________
1. PowerShell (Get-FileHash)
Get-FileHash
Get-FileHash [-Path] <string[]> [-Algorithm {SHA1 | SHA256 | SHA384 | SHA512
|MACTripleDES | MD5 | RIPEMD160}]
*Note
-(-al) can be abbreviated for Algorithm
- semicolon (;) to conjoin commands
- semicolon (;) to conjoin commands
Example:
![]() |
The above command is hashing "hash_this.txt" with a MD5 and SHA1 algorithm. |
___________________________________________________________________________
2. Certutil(-hashfile)
![]() |
The above command is hashing "hash_this.txt" in an MD5 format |
Example:
Certutil -hashfile <FILENAME><HASH ALGORITHM>
___________________________________________________________________________
3. MD5deep and SHA1deep
In your Incident Response kit, it would be a potentially good idea to have a subset of tools for
hashing. MD5 deep, hashdeep, and SHA1deep are some possible options for you to do so.
Link to Download of MD5 deep:
Example: md5deep64.exe <FILENAME>
*Note
There is also SHA1 deep, SHA256 deep, and a few other algorithm hashing exes from
the download link that works the same way as MD5 deep.
___________________________________________________________________________
4. Hashing with MacOS and Linux
For MacOS:
Opening a terminal and using the command md5, shasum, or shasum -a 256 with the path to
the file will return a file hash.
Example:
md5 <FILEPATH>
md5 -r <FILEPATH>
openssl md5 <FILEPATH >
For Linux:
Opening a terminal and using the command md5sum, sha1sum, or sha256sum with the path to
the file will return a file hash.
Example
md5sum <FILEPATH>
sha1sum<FILEPATH>
sha256sum<FILEPATH>
___________________________________________________________________________
In conclusion, these are only a few ways to hash a file. There are several more.
There are also some 3rd party options, “HashTab” which adds a tab in the File’s Properties
that details the hash.
As well as “Hash Generator” and NitSoft’s “HashMyFiles” tool.
And most forensics tools will include a hashing feature ability.
But for an on the fly way, do remember that there are some command line methods to use at
your helm.
--Bryan
No comments:
Post a Comment