To clear up any confusion, when I refer to sha*sum, I'm referring to most of the command line hashing programs that come with most linux distributions by default. (md5sum, sha512sum, sha256sum) So just replace sha*sum with the cli hash utility you're currently using. If you want to see what hashing utilities you have on your system, you can have a look in /bin to see what you've got! This is a quick and dirty way to see.
ls /bin | grep sum
If you've already read the gtkhash section of the course, you'll know the basics of how hashing works from a high level, and why it's useful for a forensic investigation, to avoid wasting your time, I will quickly explain how to use 99% of command line hashing tools and then go into further detail about some things that are a little more advanced. (moar content!)
Starting off with the basics of the basics, if you want to hash a file using the command line, type the following (obviously remember to change sha*sum to your preferred hash program!)
sha*sum <file_you_want_to_hash>
So if all you wanted to know was how to get the hash of a file, that should do it. It will just print the hash of the corresponding file to standard output in the terminal. Now if you want to learn some more things you can do involving bash and these utilities, stick around.
Something you might commonly hear after you've used Linux enough is "in Linux, everything is a file". So if that's the case, then technically we could hash anything on the system, couldn't we? Let's see some common examples of things that can be hashed! A fun little list I've cobbled together shows you some of the fun things you can use sha*sum on.
echo "Hello" | sha*sum
sha*sum /dev/null
mat2 -s <your_file> | sha*sum
wget https://git.i2pd.xyz/Left4Code/L4C_Forensics_CTF/ -O h1.html && sha*sum $_
Basically, you can hash whatever your heart desires if you're thinking hard enough. I'll manipulate some of the above examples to instead be forensics-oriented in the next section.
Take this scenario for example. You're a forensic investigator and need to always be completely sure that the content given to you by someone (let's say a laptop hard-drive) will keep it's integrity and it can always be verified that nobody has modified it. How would we do that? Well.. With that new knowledge about hashing you just learned, you know that we can use it to hash the files on the drive. But let's go a step further, remember that saying "In Linux, everything is a file"? This includes drives. So instead of hashing out every single file on the drive, just hash the drive file! If anything on the drive changes, the hash will change when verified again and then you can restore from a backup or take the necessary action based on your hashing precaution. To hash a drive, it's pretty simple, you can first use another command line utility (dd) to generate a drive image, then hash it! (In the example below, sdX will need to be changed to the drive you actually want to hash.)
sudo dd if=/dev/sdX of=/<your_dir>/<drive_dump> bs=4M status=progress && sha*sum <drive_dump>
Once we generate the .dd file for the target drive and generate the hash for it, we would theoretically be able to pass this to another investigator without the fear of it being modified and nobody knowing about it.
If you don't have the disk space to copy your entire drive to another one. Then you can run this command which will directly generate a hash from your drive and only read from it and not write to it.
sha*sum /dev/sdX
If you want to check what drives you have available to be hashed on the system, you can use the following command to check:
lsblk
This would only be for the cases where you can't use dc3dd, because it has the ability to hash the .dd file immediately after and this is not necessary. However, using sha*sum on files can still be useful for things like creating hash databases, getting known hashes and inputting them into something like autopsy or sleuthkit to automatically scan for them when looking through a drive, and hashing a live linux system.
When you normally work with sha*sum, you will not be able to save the output of the hash you generate to a file, there's no -o option and it just prints to standard output so you'll have to use the shell to save the output to a file.
sha*sum <file_youre_hashing> > <output_file>
When specifying sha*sum to read in binary mode with the -b flag, this is specifically used so that binary and other files which need very careful attention to detail are read properly, sha*sum does this by reading the input file byte by byte instead of text character by text character, it is very rare that you will ever use this, but it's good to know that it exists if you need to use it for very specific circumstances where a file is presenting two different hashes depending on the mode specified.
sha*sum -b <file_youre_hashing> > <output_file>
This is honestly useful even without the forensic context, it's important to verify the hashes of software you're downloading to ensure that the software is coming from the developers and has not been modified by a third party. The complete version of this involves using pgp keys in combination with the hashes, but to keep this simple (and also because I have no idea how to do it, when I figure it out I will update this) I will just show the check functionality for sha*sum
Let's use this scenario: I'm the developer, and I want to prove to the user that the executable they are downloading comes from me and has not been tampered with, I would first hash the executable to a file like so:
sha*sum --tag <the_executable> > <the_hash_file>
the "--tag" makes it so sha*sum won't throw a beginning error when you check the hash file against the file you're running sha*sum on and sha*sum will add a little more content to the ouput file showing the correlation of the file and the hash, not putting --tag does not negatively impact sha*sum's ability to check the hash file compared to what it is being ran against. I would then include the hash file and the executable file together so that the user can download both, then, as the user, I would download both and then run the following command:
sha*sum -c <the_executable> <the_hash_file>
The output of this command should say OK somewhere in the terminal, if it does not, and says FAILED: checksum did not match, then you know someone's up to some funny business and you probably shouldn't install that piece of software.
This covers most of the functionality of the sha*sum utilities and the md*sum utilities. With this you should be able to hash basically anything you want and be able to check and verify that hashes you receive are correct and actually coming from a valid source.