Getting Started¶
From first install to a signed, timestamped manifest in five minutes.
Hash a single file¶
%%%% BLAZEHASH-1.0
%%%% size,blake3,filename
## blazehash v0.2.4
1048576,af1349b9f5f9a1a6a0404dea36dcc9499bcb25c9adc112b7cc9a93cae41f3262,/home/user/report.pdf
BLAKE3 by default. If the file changes by even one bit, the hash changes completely.
Hash a folder¶
-r walks the entire directory tree recursively. Output goes to the terminal by default.
Save to a manifest¶
manifest.hash is your snapshot: every file's path, size, and hash at the time you ran the command.
Verify nothing changed¶
-a enables audit mode. -k points to your saved manifest. blazehash re-hashes every file and compares.
Exit code 0 = all clear. Exit code 1 = something changed.
Sign the manifest¶
You'll be prompted for a password. blazehash derives an Ed25519 signing key from your password using Argon2id. Same password always produces the same key -- no key files to manage.
Record your public key
Write down or save the public key. Anyone verifying your signature needs it. The same password always produces the same public key, but you should record it separately as proof.
Verify a signature¶
Exit code 0 = valid. Exit code 1 = tampered or wrong key.
Audit auto-verifies signatures
When you audit with --expected-pubkey, blazehash checks the signature before comparing any hashes. Invalid signature aborts the audit immediately.
Audit output prefixes¶
| Prefix | Meaning |
|---|---|
[ok] |
Hash matches the manifest |
[!] |
Hash changed -- file was modified |
[-] |
File missing -- was in manifest, gone from disk |
[+] |
File added -- on disk but not in manifest |
[*] |
File moved -- same hash, different path |
[~] |
Fuzzy match -- similar but not identical (requires ssdeep/tlsh) |
[ok] /evidence/document.pdf
[!] /evidence/tampered.docx
[-] /evidence/deleted.png
[+] /evidence/new_file.exe
[*] /evidence/moved.txt
[~] /evidence/variant.exe FUZZY MATCH sim=87% <- malware/original.exe
Configuration file¶
blazehash reads ./blazehash.toml in the current directory, then ~/.config/blazehash/blazehash.toml, and merges them with CLI flags taking priority.
[defaults]
algorithms = ["blake3", "sha256"] # default -c value
output_format = "hashdeep" # default --format value
sign_key_path = "~/.keys/evidence.key" # pre-loaded signing key
case_id = "CASE-2026-001" # embedded in every manifest header
examiner = "Jane Smith" # embedded in every manifest header
Any field omitted falls back to the built-in default.
Where to go next¶
You've got the basics: hash, save, audit, sign, verify. Here's where to go depending on what you need:
- Acquire Evidence -- full acquisition pipeline with direct I/O, resume, block devices, EWF images, and Google Drive (
gdrive://URI) - Build Court-Ready Evidence -- signing, cosigning, Bitcoin timestamps, HTML reports
- Hunt Threats -- NSRL filtering, HashDB flagging, YARA scanning, VirusTotal, entropy
- SIEM & Analytics -- export to Elastic, Splunk, STIX, Parquet, SQLite, DuckDB
- CLI Reference -- every flag and subcommand
- Cookbook -- more recipes for specific scenarios