ZeroTrace OSINT
Files & Hashes
Four tools for hashing files in eleven algorithms, identifying unknown hashes, and extracting IOCs from messy text.
The Files & Hashes discipline is the small-but-essential category that handles file-level investigation work — fingerprinting binaries, identifying unknown hash strings, and extracting indicators-of-compromise from logs and unstructured text.
The tools here are utilitarian. They run fast, work on large inputs, and have minimal external dependencies.
What's in this section
| Tool | What it does | Best when |
|---|---|---|
| File hasher | Hash any file in eleven algorithms (MD5, SHA-1, SHA-256/384/512, SHA-3, CRC, BLAKE2/3, ssdeep, TLSH, ImpHash) plus magic-byte file-type detection | Verifying integrity, looking up hashes externally, fuzzy-matching similar files |
| Hash detector | Identify the algorithm of a hash string from its format alone | A hash arrived in a report and you do not know what it is |
| IOC extractor | Bulk-extract IPs, URLs, emails, hashes, JWTs, AWS keys, MAC addresses, credit-card PANs from messy text | A log file, a paste, or any unstructured text full of indicators |
Common starting points
| You have... | Best first tool |
|---|---|
| A binary file from a malware sandbox | File hasher |
| A hash string in a threat report | Hash detector |
| A long log file with indicators scattered through it | IOC extractor |
| A folder of files of mixed origin | File hasher (bulk mode) |
Working together
The three tools chain naturally:
- IOC extractor pulls hashes out of a paste.
- Hash detector tells you what each hash is.
- File hasher, applied to your local copy of the suspect file, lets you confirm whether you have the same file.
For SOC and incident-response work, this three-step chain is run dozens of times a day.
What this section does not cover
- Sandbox detonation. No "run this binary and see what happens" capability. For that, use a dedicated sandbox (Hybrid Analysis, Joe Sandbox, Any.Run).
- Reverse engineering. No disassembler, no decompiler, no debugger. The hasher's "magic-byte file-type detection" tells you what kind of file you are looking at; for analysis of the file's behaviour, you need different tools.
- Live antivirus scanning. The toolkit does not run AV signatures against files. It surfaces hash-lookup URLs (VirusTotal-by-hash, AlienVault OTX) so you can check the hash externally without uploading the file.