Introducing hashdeep and faster md5deep
I am pleased to announce the release of md5deep version 3.1 along with a new program, hashdeep. Along with some cosmetic bug fixes, this version of md5deep should be about 10-15% faster than version 3.0 thanks to the removal of some redundant code. The new hashdeep has two primary features, multihashing and hash set auditing. Multihashing is the ability to compute more than one hash algorithm simultaneously. Technically this feature isn't really "new", per se, it's been a part of programs like FSUM and Dan Mares' hash for years. The real magic is in the hash set auditing.
Auditing Hash Sets
The benefits of hash set auditing will be fully described in the paper Audiing Hash Sets, hopefully to be published soon. Here's the abstract:
Auditing a set of cryptographic hashes allows a forensic examiner to determine the state of a target directory as compared to those hashes. Unlike traditional hash comparison methods, an audit takes into account all of the files in the target directory and their relative paths. Not taking these data into account can impair examinations and tool certifications. An audit examines each file in the target directory, computes its hash, and compares it to a file containing the known hash values. Any file not in the set of known hashes is flagged as being inserted. When all of the files in the target directory have been examined, any known hashes that have not been matched are flagged as being missing. The result is a complete picture comparing the set of known hashes and the target directory.
I'll post more details on the paper as they become available. In the meantime, here's the complete list of changes in this version of md5deep:
New Features
Added hashdeep program to support multihashing and hash set auding
Streamlined file size computation process, which makes the programs about 15% faster.
Added size threshold modes to only process files smaller than a given size.
Added a timestamp mode that records the creation time time for each file on Win32, the change time on all other operating systems.
Added support for new iLook style hashes
Bug Fixes
Corrected time estimates for large files (e.g. files which require more than one day).
Fixed obscure bug that caused a crash (double free) when attempting to check a very small file for EnCase hashes
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
jessekornblum) wrote,
