Jay Taylor's notes

back to listing index

Fuzzy Hashing and ssdeep

[web search]
Original source (ssdeep.sourceforge.net)
Tags: cyber-security ssdeep context-triggered-piecewise-hashes CTPH fuzzy-hashes ssdeep.sourceforge.net
Clipped on: 2014-04-16

ssdeep - Latest version 2.10


Quick Links

Introduction

ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.

A complete explanation of CTPH can be found in Identifying almost identical files using context triggered piecewise hashing from the journal Digital Investigation. There is a free version of this paper available through the Digital Forensic Research Workshop conference, free version of Identifying almost identical files using context triggered piecewise hashing.

There are some usage scenarios in the Quickstart guide and the Forensics Wiki entry on ssdeep.

The package also includes a fuzzy hashing API. The API is documented in the file API.TXT in the Windows distribution and README in the source code package.

See Also

The math behind fuzzy hashing was originally developed by Dr. Andrew Trigdell in a spam dectector he called spamsum.

Supported Platforms

Microsoft Windows

The program runs on Microsoft Windows 2000, XP, 2003, and Vista. It is not supported on Windows 95, 98, Me, 3.1, 3.11, or 3.11 for Workgroups.

*nix

The program has been tested on Open Solaris, FreeBSD, Linux, and Mac OS X. It should compile and run on any other platform that is supported by the GNU Build Tools.

Download

Stable Version

The latest stable version of ssdeep is version 2.10 and was released on 17 Jul 2013 You can take a look at the complete changelog, but here are the changes in the latest version:

  • Fuzzy Hashing engine re-written to be thread safe.
  • Able to handle long file paths on Win32.
  • Fixed bug on comparing signatures with the same block size.
  • Fixed crash on comparing short signatures.

Version 2.10 17 Jul 2013 Windows binary SHA256 dc4350b6d0190d8149ac53454d9ffd458b08a8cd69b2c841c62700254c1916c7
source code SHA256 5b893b8059941476352fa1794c2839b2cc13bc2a09e2f2bb6dea4184217beddc

Beta Version

There is no beta version of ssdeep right now. If you have any problems or would like to see something added to ssdeep, please send mail to the developer at research at) jessekornblum !dot) com or visit the Sourceforge project page .

Older Versions

Although older versions of ssdeep are available for historical purposes, you shouldn't use these unless you have a truly compelling reason.

Show older versions





License

The ssdeep program and its API are licensed under the terms of version 2 of the GNU General Public License.



About the developer

ssdeep was written by Jesse Kornblum of the ManTech International Corporation . Please send all correspondence to research *at jessekornblum .dot com.



Acknowledgements

Code for the threshold mode contributed by Jason Sherman. The testing of this program was made possible in part thanks to the generosity of the Computer Science Department at the University of Iowa.



This page was last updated on 17 Jul 2013.


Image (Asset 1/1) alt=