File Hashing with Built-In OS Tools

Written By Michael Miranda

This post illustrates calculating the hash value of a file using built-in command tools in Windows and in MacOS. Most analysts use the hash file to search for matches against known malicious files (usually by searching for the hash value in Virustotal.com and other malware analysis repositories). The primary use is usually to verify the integrity of a file by comparing the known valid hash against a recently calculated hash. If they are identical, the file has not changed. If the hash values are different, the file being tested is not the same as the original and could have been tampered with.

Windows

The tool certutil.exe (documentation) is a command-line program installed as part of Windows Certificate Services. It can also be used by an analyst to calculate the hash value of a file. This eliminates the need and risks of uploading the file to the hash calculator on the Internet or transferring the file to another system just to calculate the hash value. Here are the steps:

  1. Open a command prompt.

  2. Type: certutil -hashfile <path to the file>

    This default usage returns the SHA1 hash value of the file. You can select which file hash algorithm to use by appending the command with desired algorithm.

    certutil [options] -hashfile InFile [HashAlgorithm]

    The available algorithms are SHA1, SHA256 and MD5

    Below is a screenshot of an example:

MacOS

MacOS is a Unix-based operating system and had built-in file hashing tools for a long time. Two notable tools are shasum (documentation) and md5 (documentation). Below is a screenshot demonstrating their usage in the MacOS Terminal.

Conclusion

By using these built-in tools, analysts can calculate hash values of suspect files, and the inconvenience and risk of external or third-party tools are eliminated.

Michael Miranda https://www.linkedin.com/in/mikemiranda/
Previous

Software for Students