Hashing Files

Protecting Your Evidence

A hash is like a digital fingerprint. When you run a hash on a folder (or the files inside it), you generate a long, unique string of letters and numbers. If even one single bit changes, one pixel in an image, one character in a document, one byte in a video, the hash will change completely.

That matters because digital evidence is easily altered. Files can change accidentally (by opening and re-saving), by corruption, by syncing software, by malware, or by intentional tampering. Without a hash, you cannot prove the file you’re presenting today is the same file you originally collected.

Hashing protects you in three major ways:

First, it protects integrity. You can show that the evidence has not been altered since acquisition.

Second, it protects credibility. If someone challenges your findings, you can demonstrate mathematically that the data is unchanged. That makes your work defensible in court, in client disputes, or in public investigations.

Third, it protects against accusations. In adversarial environments, which OSINT and investigations often are, someone may claim you fabricated, edited, or manipulated evidence. A properly documented hash quickly shuts down that argument.

Think of it this way:

If you don’t hash your evidence, you’re basically saying, “Trust me, I didn’t change anything.”

If you do hash your evidence, you’re saying, “You don’t have to trust me. Verify it yourself.”

That shift, from trust to verification, is what makes professional investigative work defensible.

Below are ways your own machine can hash evidence in folders. These methods will hash the content of the folders individually and provide a log. They will not hash the interior of subfolders, and every folder must be hashed individually.

Windows

Use the built-in CertUtil. Open PowerShell and type:

CertUtil -hashfile "C:\path\to\your\file.pdf" SHA256

Drag-and-Drop Folders “Hash + Log” (No install)

Step A — Create hash_drop_sha256.bat

  • Right-click Desktop → New → Text Document

  • Rename it to: hash_drop_sha256.bat

  • Choose edit, copy and paste the following:

@echo off

setlocal enabledelayedexpansion

if "%~1"=="" (

echo Drag-and-drop a file onto this .bat to hash it.

pause

exit /b

)

set "target=%~1"

rem Create a log file in the same folder as the dropped file

set "log=%~dp1hashlog_SHA256_%date:~-4%%date:~4,2%%date:~7,2%_%time:~0,2%%time:~3,2%%time:~6,2%.txt"

set "log=%log: =0%"

echo ==========================================> "%log%"

echo Evidence Hash Log (SHA256) >> "%log%"

echo Created: %date% %time% >> "%log%"

echo ==========================================> "%log%"

echo File: "%target%" >> "%log%"

echo. >> "%log%"

certutil -hashfile "%target%" SHA256 >> "%log%"

echo. >> "%log%"

echo Done. Log saved to: "%log%"

echo.

type "%log%"

pause

Drag any file onto hash_drop_sha256.bat

  • It hashes with SHA256 using built-in certutil

  • creates a timestamped log file in the same folder

  • shows the output on screen

No installs, minimal user error, perfect for training labs.

MacOS

Open Terminal and type:

shasum -a 256 /path/to/your/file.pdf

Folders “Hash + Log” (No install)

Download the attached hash_folder.zip file. Double-click and extract the file. Save the .sh file to your username file (in Finder).

In the Finder view, go to your MacBook folder and find the Users Folder. Inside the Users folder, right-click the username folder and choose "New Terminal at Folder"

In the folder Terminal, type:

chmod +x hash_folder.sh

To hash the folder with a log of hashed files:

Open Terminal:

Shortcut: Press Command (⌘) + Spacebar.  Action: Type terminal and hit Enter.

  • Shortcut: Press Command (⌘) + Spacebar.

  • Action: Type terminal and hit Enter.

Type in the following and add your folder path

./hash_folder.sh /path/to/folder

To find the path for any Mac files or folders, select the file/folder and press Option + Command + C to copy the path immediately.

Example hash command:

./hash_folder.sh /Users/kirbyplessas/Desktop/EVIDENCE_CASE_001

Important Note About macOS Gatekeeper

If someone downloads the script from the internet, macOS may block it the first time.

If they see:

“cannot be opened because it is from an unidentified developer”

They can run:

xattr -d com.apple.quarantine hash_folder.sh

Then:

chmod +x hash_folder.sh

That removes Apple’s quarantine flag.