Forensic Hash Calculator

Compute MD5, SHA-1, SHA-256, and SHA-512 hashes for any number of files or folders. Analyze file entropy, detect disguised files by magic bytes, check against known-bad hash sets, and export court-ready reports. All client-side. No upload.

lock No upload required folder_zip ZIP extraction verified Verify mode bar_chart Entropy analysis policy Known-bad detection download CSV export

save Saved locally in your browser. Never uploaded. Included in all reports.

upload_file

Drop files or folders here

or use the buttons below

ZIP files are automatically extracted and each entry is hashed.

lock100% private. Files never leave your browser. No upload. No server.
Algorithms

verified_user SHA-256 or SHA-512 is recommended for forensic integrity verification.

Add files to begin hashing. Results appear here as each file completes.

Hash Algorithms in Digital Forensics

Hash functions convert a file into a fixed-length fingerprint. Even a single changed bit produces a completely different hash, making these values essential for proving evidence has not been altered between acquisition and court presentation.

MD5128-bitLegacy
  • tag 32-character hex digest
  • history Standard from 1992 to ~2010
  • warning Practical collisions demonstrated in 2004
  • gavelNot sufficient as sole court hash
  • check_circle Pair with SHA-256 for legacy tool compatibility
  • lightbulb Still useful for quick duplicate detection
SHA-1160-bitDeprecated
  • tag 40-character hex digest
  • history NSA-designed; published 1995
  • dangerous First practical collision published 2017 (SHAttered)
  • gavelNIST deprecated for signatures & certificates
  • warning Defence may challenge evidence using SHA-1 alone
  • lightbulb If present in old files, add SHA-256 alongside it
SHA-256256-bitRecommended
  • tag 64-character hex digest
  • category SHA-2 family; published 2001
  • verified_user No known practical collisions
  • gavelAccepted worldwide in court; endorsed by NIST & SWGDE
  • check_circle Minimum standard for forensic chain of custody
  • lightbulb Use as your primary hash on all evidence
SHA-512512-bitMaximum
  • tag 128-character hex digest
  • category SHA-2 family; largest security margin
  • verified_user No known weaknesses, theoretical or practical
  • gavelPreferred for archival and high-stakes evidence
  • bolt Often faster than SHA-256 on 64-bit processors
  • lightbulb Strongest choice for expert witness testimony
info_outline MD5 may be computed alongside SHA-256 for legacy compatibility, but should not be relied upon as the sole integrity hash. For any new investigation, SHA-256 is the minimum recommended standard.

How to Use the Forensic Hash Calculator

1

Select algorithms

Choose one or more hash algorithms. MD5 and SHA-256 are pre-selected. Your selection is saved automatically for future visits. You can enable additional algorithms at any time, even after files are already hashed.

2

Add files or folders

Drag files, folders, or ZIP archives onto the drop zone, or use the Select buttons. ZIP files are automatically extracted and each entry hashed separately. Results are sorted A-Z, with ZIP contents nested under their archive.

3

Review and verify

  • Hashes appear as each file completes.
  • Entropy chip shows file randomness. High entropy on a plain-looking file can indicate encryption or packing.
  • Amber badge flags any file whose detected type does not match its extension.
  • Duplicate files are automatically grouped together.
  • Known-bad hash matches are highlighted in red.
4

Export your report

  • Fill in Case Details: case number, examiner name, and organization. Saved automatically and included in every report.
  • Click the report icon on any row to copy a per-file forensic summary.
  • Use "Copy Report" for all files at once.
  • Use "Export CSV" for a spreadsheet with hashes, entropy, known-bad flags, and mismatch warnings.

Who Uses This Tool

The Forensic Notes Hash Calculator is used by digital forensics professionals, law enforcement, and legal teams who need court-admissible hash documentation without uploading sensitive evidence files to a third-party server.

gavel

Evidence integrity verification

Compute SHA-256 or SHA-512 hashes before and after evidence acquisition to prove files have not been altered. Compare values against hashes recorded at seizure to satisfy chain of custody requirements accepted by NIST and SWGDE guidelines.

folder_zip

Forensic image validation

Hash disk images, container files, and ZIP archives before submitting to court or transferring between examiners. The tool hashes the container and its extracted contents, giving you a complete manifest of every file within an archive.

content_copy

Duplicate and copy detection

Automatically identify files with identical content across different filenames or folder locations. Useful for confirming that a working copy matches the original, or for finding redundant evidence files in a large collection.

shield

Sensitive investigations

Because all processing happens entirely in your browser, this tool is safe to use with confidential or restricted files. No data is transmitted to any server at any point. Suitable for law enforcement, legal proceedings, and corporate investigations where data sovereignty is a requirement.

description

Court-ready documentation

Enter a case number, examiner name, and organization in the Case Details panel. Every report generated - per-file or full export - automatically includes this information at the top. Hash values, entropy, and file type warnings are formatted for direct use in case notes, legal exhibits, or court filings.

security

Malware triage

Identify suspicious files using multiple signals: high entropy (7.2+) suggests encryption or packing, magic bytes mismatches flag files disguised with false extensions, and known-bad hash set imports let you cross-reference against threat intelligence feeds. Combine with the VirusTotal integration to check SHA-256 hashes against 70+ antivirus engines without uploading files.

Frequently Asked Questions

MD5, SHA-1, SHA-256, and SHA-512. MD5 and SHA-256 are selected by default. SHA-256 is the most widely used algorithm for forensic chain of custody documentation. MD5 is included for compatibility with legacy tools and verification of existing hash values.

Your algorithm selection is saved automatically in your browser and restored on your next visit.

No. All hashing is performed entirely in your browser using the Web Crypto API (SHA-1, SHA-256, SHA-512) and SparkMD5 (MD5). Your files never leave your device at any point during the process.

You can verify this yourself using either method below.

Method 1: Disconnect from the internet

  1. Disconnect your device from Wi-Fi or unplug your network cable.
  2. Reload this page (it may load from your browser cache, or you may need to have it open already).
  3. Drop a file onto the tool and compute hashes.
  4. The tool works identically offline. If any data were being sent to a server, it would fail or stall with no network connection.

Method 2: Monitor network traffic in your browser

  1. Open your browser's Developer Tools: press F12 (Windows/Linux) or Cmd+Option+I (Mac).
  2. Click the Network tab.
  3. Check Preserve log so requests are not cleared between actions.
  4. Drop a file onto the tool and wait for hashing to complete.
  5. Review the network log. You will see no outbound requests triggered by file processing. The only requests visible will be the initial page load assets already in your browser cache.

The hashing code runs entirely inside a JavaScript context within your browser tab. There is no backend, no API call, and no telemetry tied to file content or hash values.

When you add a ZIP file, the tool first hashes the ZIP archive itself (important for chain of custody), then extracts and hashes each file inside. Nested ZIPs up to three levels deep are also extracted. Password-protected ZIPs are identified with a warning badge, and their contents are skipped.

Paste a known hash value into the verify field at the top of the results table. The tool will compare it against all computed hashes. Matching files are highlighted in green with a "Verified" badge. Non-matching files are highlighted in red. This is useful for confirming evidence integrity against published hash values.

You can optionally check SHA-256 hashes against the VirusTotal database. Enter your free VirusTotal API key in the VT settings panel, then click "Check" on individual rows or "Check All" to queue all files. Results show detection counts from 70+ antivirus engines. The API key is stored only in your browser's localStorage and is never transmitted to Forensic Notes servers.

Shannon entropy measures how random or compressed a file's data appears. The scale runs from 0 (completely uniform, such as a file filled with zeros) to 8 (perfectly random, like an encrypted or well-compressed file). The tool displays a color-coded chip for each hashed file:

  • Very Low (0.00–3.49, gray): sparse data, text files, or files with a very limited character range
  • Normal (3.50–5.99, blue): typical office documents, source code, databases
  • High (6.00–7.19, amber): compressed archives, images, or audio files
  • Encrypted / Packed (7.20–8.00, red): encrypted data, packed executables, or ransomware-encrypted content

High entropy on a file with a plain extension (such as .txt or .doc) can indicate that the file has been encrypted or obfuscated. This is a useful first-pass triage signal when reviewing a collection of unknown files.

Every file format begins with a specific sequence of bytes called a magic number or file signature. The tool reads the first 32 bytes of each top-level file and compares them against a library of known signatures including JPEG, PNG, GIF, BMP, PDF, ZIP, EXE, ELF, RAR, GZIP, 7-Zip, SQLite, MP3, MP4, WAV, AVI, WebP, OGG, FLAC, and more.

If the detected type does not match the file extension, an amber warning badge appears in the filename cell showing the actual detected type. This helps identify renamed or disguised files during forensic triage.

ZIP-family formats such as DOCX, XLSX, PPTX, JAR, and APK are correctly recognized as valid ZIP-based containers and are not flagged as mismatches. Detection only runs on directly added files, not on entries extracted from ZIP archives, since extracted entries are synthetic in-memory objects without reliable header access.

You can upload a plain text or CSV file containing known-bad hash values, such as a malware hash list from a threat intelligence feed, NSRL exclusion set, or your own investigation's hash list. The tool extracts all valid MD5 (32-char), SHA-1 (40-char), SHA-256 (64-char), and SHA-512 (128-char) hex strings from the file.

Every hashed file is checked against this set. Matches are flagged with a red "Known Bad" badge and a red left border on the row. The check runs immediately when the set is loaded and also applies retroactively to files already in the table. You can clear the set at any time using the Clear button in the Known Hash Sets panel.

The hash set is stored only in memory for the current session and is never sent anywhere.

The Case Details panel (above the drop zone) lets you record a case number, examiner name, and organization. These fields are saved automatically to your browser's localStorage and restored on your next visit, so you do not need to re-enter them each session.

Whenever any of these fields contain a value, they are automatically included at the top of every report: the per-file summary (copy icon on each row), the full Copy Report, and the row report overlay. This gives every exported record a consistent header identifying who ran the analysis and under which case, without any manual editing.

There are several options depending on what you need:

  • Per-file report: Click the green report icon on any row to copy that file's forensic summary (name, size, modified date, all hashes) directly to your clipboard for pasting into case notes.
  • Full report: Click "Copy Report" in the summary bar to copy a formatted report for all completed files.
  • CSV export: Click "Export CSV" to download a spreadsheet with all file names, paths, sizes, dates, and hashes.
  • Expand overlay: Click "Expand" to open the full-hash table in a wide overlay, useful for comparing full hash values side by side without truncation.

Yes. Click "Select Folder" or drag a folder onto the drop zone (Chrome and Edge support folder drag-drop). The tool will recursively hash all files in the folder. Alternatively, select multiple individual files using "Select Files."

Yes. If you enable an algorithm after files have already been processed, the tool automatically re-hashes all existing files for that algorithm in the background. You do not need to re-add your files. The new hash column appears and populates as each file is processed. Disabling an algorithm simply hides its column, no re-processing occurs.

When two or more files produce the same hash value, the tool automatically identifies them as duplicates regardless of their filenames. The first file added is marked as the primary with an amber "N copies" badge. All other copies are grouped as children directly beneath it, indented with a "Same file" indicator.

This is useful when the same evidence file exists under different names across folders, or when reviewing a collection for redundant copies. The deduplication is based on SHA-256 where available, falling back to SHA-512, SHA-1, or MD5.

Results are sorted A-Z by filename (case-insensitive). ZIP archives appear at their sorted position, with all extracted contents shown immediately beneath them, also sorted A-Z. Files extracted from nested ZIPs appear nested under their immediate parent archive.

Duplicate copies are grouped under their primary file regardless of where they would otherwise fall in the sort order.

MD5 is cryptographically broken for collision resistance, meaning two different files can theoretically produce the same MD5 hash. However, it remains widely used for quick integrity checks and compatibility with older forensic tools and case documentation. Always document both MD5 and SHA-256 hashes when building a court-ready chain of custody.

Document Evidence the Right Way

Hash values belong in your case notes alongside your observations, photos, and chain of custody records. Forensic Notes keeps everything court-ready and tamper-evident in one place.