How do I find key hashes?

Finding key hashes can be an important part of cybersecurity investigations and digital forensics. Key hashes allow you to identify files and verify their integrity without having access to the original file. There are a few different ways to find and use key hashes depending on your needs.

What is a Key Hash?

A key hash, also known as a cryptographic hash function, is a mathematical algorithm that takes an input of any size and converts it into a unique fixed-length alphanumeric output called a hash value or digest. This hash value represents the original data in a condensed format. Even a small change to the original data will result in a completely different hash value when run through the hashing algorithm.

Some common hashing algorithms include MD5, SHA-1, SHA-256, SHA-512, NTLM, and RIPEMD. The most secure modern hashing algorithms like SHA-256 and SHA-512 generate hashes that are 64 characters and 128 characters long respectively.

Key hashes are used for several important purposes:

• Verify data integrity – By comparing hash values, you can determine if data has been modified or corrupted.
• Fingerprint files – Hashes uniquely identify files even if the file name has changed.
• Verify passwords – Passwords stored as hashes can be verified without storing the passwords themselves.
• Pseudonymous identification – Hashes can be used as unique identifiers while preserving anonymity.

Finding File Hashes

To find the hash value for a file, you need to run the file through a hashing algorithm. This can be done using a variety of tools:

Command Line Tools

Most operating systems come with built-in command line tools that can generate hashes quickly and easily:

• Windows – CertUtil can hash using MD5, SHA1, SHA256, SHA384, SHA512
• Linux/Mac – OpenSSL, sha256sum, sha512sum
• macOS – shasum

For example, to find the SHA256 hash of a file on Windows you could run:

certutil -hashfile file.exe SHA256

And on Linux/Mac:

openssl dgst -sha256 file.exe 
sha256sum file.exe

Graphical Tools

There are many desktop programs and utilities that make it easy to find file hashes:

• WinMD5 – Free hash tool for Windows.
• HashMyFiles – Calculates MD5 and SHA hashes for multiple files.
• MD5 & SHA Checksum Utility – Hashes files via drag and drop on Windows.
• HashTab – Shell extension for generating hashes in Explorer.

These tools often integrate directly with the file explorer, allowing you to right-click a file and copy its hash value.

Online Hash Generators

If you don’t have access to the file directly, you can use online hash generators to process files. Some popular web-based hash generators include:

• MD5Online – Supports MD5, SHA1, SHA256, CRC32, and other hashes.
• OnlineHashCrack – Calculates MD5, SHA1, SHA256, NTLM, LM, and other hash types.
• VirusTotal – Primarily scans files for malware but also generates hashes.

Simply upload your file and the tool will return the cryptographic hash of the file. Be aware that uploading files to an untrusted site has privacy and security risks.

Finding Password Hashes

Passwords are also commonly stored in hashed form to protect the actual passwords while still allowing verification. You may need to identify password hashes extracted from compromised systems or leaked databases during security investigations. Here are some tips for recognizing and finding password hashes:

• Look for long, alphanumeric strings made up of different cases, numbers, and special characters.
• Recognize common formats like NTLM and LM hashes which are fixed length.
• Use hash cracking tools like John the Ripper and Hashcat to attempt cracking hashes and reveal their original passwords.
• Consult rainbow table repositories which contain large databases of precomputed hashes.
• Google search portions of hashes in quotation marks to find matches and identify the hashing algorithm.
• Use online hash analyzers to automatically detect the type of hash.

By analyzing patterns in hashes and using cracking tools, you can often determine the original password associated with a hash. This requires technical skills and practice identifying different hash formats.

Using Key Hashes for Digital Forensics

Key hashes play an important role in digital forensics during the analysis of digital evidence. Some examples include:

• Verifying forensic image files have not been altered.
• Identifying known illegal files like child exploitation material.
• Correlating files across multiple systems or investigations.
• Validating files recovered from unallocated space.
• Spotting tampering or forged files.

When conducting examinations, forensics analysts will hash files from the evidence and compare those hashes against hashed databases of known files. This allows files of interest to be quickly identified.

Maintaining an up-to-date database of hashes is crucial for identifying known good and bad files. Sources for hash databases include:

• National Software Reference Library (NSRL) – Database of software file hashes.
• VirusTotal – Repository of malware file hashes.
• CAID – Child abuse image hashes provided to law enforcement.
• Custom databases – Developed internally based on casework.

By leveraging these databases, forensics examiners can rapidly spot files of significance even without having access to the actual contents.

Using Hashes to Verify File Integrity

One of the most common uses of cryptographic hashes is to verify the integrity of files by checking that the file contents have not changed. Even the slightest modification to a file will drastically alter its hash value.

Here are some examples of how hashes are used to verify file integrity:

• Software updates and packages – Hash values are published with software downloads so users can verify the file they receive matches the original.
• Data archives and backups – Hashes taken during archiving can be compared later to check for corruption.
• Forensics evidence – Hash values taken when collecting digital evidence can demonstrate no tampering occurred.
• Blockchain – Transactions are hashed to form blockchain ledgers that are resistant to modification.

To verify a file manually, simply generate the hash of your file and compare it to a known good value from the source. Automated file integrity checking uses hashes to continually monitor files for unauthorized changes.

Here are some tools that perform file integrity monitoring using hashes:

• Tripwire
• AIDE
• Samhain
• OSSEC

These tools maintain databases of hashes for critical files and sound alerts if the hashes ever change.

Using Hashes for Data Deduplication

Cryptographic hashes can also be used to identify duplicate data for data deduplication. Deduplication removes redundant copies of files to save storage space and network bandwidth. It works by:

1. Hashing files and data streams.
2. Identifying files with identical hash values.
3. Keeping only one copy of files with duplicate hashes.
4. Replacing the other redundant copies with pointers to the single copy.

This technique is used for deduplication in cloud storage, file systems, and data backups. Software checks hashes first before transferring data, allowing duplicate data to be excluded.

For example, cloud storage services like Dropbox use deduplication across users’ accounts. If two users upload the same file, it is only stored once on the backend while both users retain access.

Hash-based deduplication can significantly reduce storage requirements and costs when there is a lot of repetitive data.

Conclusion

In summary, cryptographic hashes like MD5, SHA-1, and SHA-256 are indispensable tools for many security and forensic tasks. By generating unique identifiers for data, hashes can verify integrity, fingerprint files, detect duplicates, and support cyber investigations. Understanding how to properly find and utilize hashes is an important capability for any IT security or digital forensics role.