Visar inlägg med etikett Forensics. Visa alla inlägg
Visar inlägg med etikett Forensics. Visa alla inlägg

söndag 22 juli 2018

Generating file/content hashes using built in Certutil

Regardless if you are into Forensics, Pentesting or are just a home user downloading software, you may sooner or later need to be able to create hash signatures of files to validate the content in the files:
  • A forensics specialist need to create signatures of DD images or individual triage files.
  • A network forensics specialist could use it to create signatures of pcap files.
  • A pentester could generate a signature of an internal document that he/she have come across.
  • A home user can generate a signature of a file and compare to validate file integrity.
While some forensics tools like disk imagers have these features built in, I've seen some sites recommending tools to be downloaded to accomplish this, but it isn't really necessary. Most windows systems comes with a command line utility built in that can create hash signatures - Certutil.

Certutil is a swizz army knife for dealing with certificates but included is the functionality to generate hash signatures using the switch -hashfile



The hash algorithms supported are MD2, MD4, MD5, SHA1, SHA256, SHA512, only leaving out SHA224. The most common ones are MD5, SHA1 and SHA256 for file integrity checking.

To generate a signature, just go to the folder where the file is and type

Certutil -hashfile filename.exe sha256

and it will generate a sha256 signature of the content of filename.exe, below are some more examples:




To redirect the output and generate a file signature use the > (greater than) sign and specify an output.

Certutil -hashfile filename.exe sha256 > filename.exe.sha256

And the output of certutil will end up in filename.exe.sha256:



This will obviously include header lines which are uninteresting. You can filter them out using the find command with the /v (skip) and /i (ignore case) and the search criteria "hash". This will produce only one line in the .sha256 file with the signature:



You can also do an iterative search of all files in a folder and generate signatures for them.

The command for that is is: for /f %%f in (`dir /b c:\`) do <put command here>

I leave this as an exercise for the reader, it is explained more on Stack Overflow:
https://stackoverflow.com/questions/180741/how-to-do-something-to-each-file-in-a-directory-with-a-batch-script