- A forensics specialist need to create signatures of DD images or individual triage files.
- A network forensics specialist could use it to create signatures of pcap files.
- A pentester could generate a signature of an internal document that he/she have come across.
- A home user can generate a signature of a file and compare to validate file integrity.
Certutil is a swizz army knife for dealing with certificates but included is the functionality to generate hash signatures using the switch -hashfile
The hash algorithms supported are MD2, MD4, MD5, SHA1, SHA256, SHA512, only leaving out SHA224. The most common ones are MD5, SHA1 and SHA256 for file integrity checking.
To generate a signature, just go to the folder where the file is and type
Certutil -hashfile filename.exe sha256
and it will generate a sha256 signature of the content of filename.exe, below are some more examples:
To redirect the output and generate a file signature use the > (greater than) sign and specify an output.
Certutil -hashfile filename.exe sha256 > filename.exe.sha256
And the output of certutil will end up in filename.exe.sha256:
This will obviously include header lines which are uninteresting. You can filter them out using the find command with the /v (skip) and /i (ignore case) and the search criteria "hash". This will produce only one line in the .sha256 file with the signature:
You can also do an iterative search of all files in a folder and generate signatures for them.
The command for that is is:
for /f %%f in (`dir /b c:\`) do <put command here>I leave this as an exercise for the reader, it is explained more on Stack Overflow:
https://stackoverflow.com/questions/180741/how-to-do-something-to-each-file-in-a-directory-with-a-batch-script
