ZeroTrace OSINT
File Hasher
Hash any file in eleven algorithms, plus ssdeep / TLSH fuzzy hashing, ImpHash for PE files, magic-byte file-type detection, and external lookup URLs.
The file hasher computes hashes of any file in eleven algorithms, plus fuzzy / locality-sensitive hashes for similarity matching, plus PE-specific ImpHash for Windows executables, plus magic-byte file-type detection. It also constructs lookup URLs for external hash-reputation services so you can paste-and-go without uploading the file.
Algorithms supported
| Algorithm | When to use |
|---|---|
| MD5 | Legacy compatibility — many tools and reports still use it. Cryptographically broken; do not use for integrity. |
| SHA-1 | Legacy compatibility. Cryptographically weak; do not use for integrity. |
| SHA-256 | Modern default. The hash to publish for integrity verification. |
| SHA-384 / SHA-512 | When SHA-256 is not strong enough (rare in OSINT contexts) |
| SHA-3 (256/384/512) | Modern alternative to SHA-2 family |
| CRC32 / CRC64 | Non-cryptographic; useful for quick deduplication only |
| BLAKE2b / BLAKE2s | Fast modern cryptographic hash |
| BLAKE3 | Faster than BLAKE2, modern cryptographic hash |
Fuzzy / similarity hashes
| Algorithm | What it does |
|---|---|
| ssdeep | Context-triggered piecewise hashing. Two similar files produce similar ssdeep hashes; the diff is computable. |
| TLSH | Locality-sensitive hash. Like ssdeep but better behaved for many file types. |
Use these when you need to detect "is this file similar to a known-bad file?" rather than "is this file identical to a known-bad file?". Particularly useful for malware variants — small modifications to a known sample produce nearby ssdeep / TLSH but completely different SHA-256.
ImpHash (PE files)
For Windows PE executables (.exe, .dll, .sys), ImpHash is the MD5 of the executable's import table. Two PE files with the same ImpHash share the same imported functions in the same order — strong signal of common origin even when the rest of the binary differs.
The tool detects PE files by magic bytes and computes ImpHash automatically.
Authentihash (signed PE files)
For signed PE files, Authentihash excludes the signature itself from the hash. Two binaries with the same Authentihash are the same binary in everything except the signature — useful for spotting re-signed malware.
Magic-byte file-type detection
Independent of the file extension, the tool reads the file's first bytes and identifies the actual format:
MZ— Windows PE.\x7fELF— Linux / Unix ELF binary.PK— Zip-family (Zip, JAR, APK, DOCX, XLSX).%PDF— PDF.<?xml— XML.{— likely JSON.- Image magic bytes for JPEG, PNG, GIF, BMP, TIFF, WebP, HEIC.
- Many more.
A file extension that does not match the magic bytes is a finding (.txt extension on a PE binary, for instance).
Magic-byte detection is the cheapest sanity check in the toolkit. A "report.pdf" that is actually a Windows PE is one of the oldest tricks in the book; magic-byte detection surfaces it instantly.
External lookup URLs
The tool constructs deep links to external hash-reputation services without uploading the file:
- VirusTotal —
https://www.virustotal.com/gui/file/<sha256>— checks whether VT has seen this hash before. - AlienVault OTX —
https://otx.alienvault.com/indicator/file/<sha256> - Hybrid Analysis — search URL pre-filled with the hash.
- Joe Sandbox — search URL pre-filled with the hash.
Click any link and the lookup happens in your browser. The hash leaves your machine; the file does not.
Bulk file hashing
Pass a folder. The tool processes every file in parallel (with bounded concurrency). The aggregate result is a table of filename, magic-byte type, all hashes, and external lookup URLs.
For incident-response work, this is the standard "hash everything in this directory and check for any matches" workflow.
Pivots
| Click on... | Pivot to |
|---|---|
| Hash | Hash detector (confirm algorithm), external lookup URLs |
| Magic-byte type | (no pivot — informational) |
| File path | (no pivot — informational) |
Sources
- All hashing runs locally — no network calls.
- Magic-byte detection runs locally with a bundled signature catalog.
- External lookup URLs are constructed locally; the hash leaves your machine only when you click and only to the lookup engine (not to ZeroTrace).
The tool can hash gigabyte-sized files. Performance is bound by disk speed.