ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.
A complete explanation of CTPH can be found in Identifying almost identical files using context triggered piecewise hashing from the journal Digital Investigation. There is a free version of this paper available through the Digital Forensic Research Workshop conference, free version of Identifying almost identical files using context triggered piecewise hashing.
There are some usage scenarios in the Quickstart guide and the Forensics Wiki entry on ssdeep.
The package also includes a fuzzy hashing API. The API is documented in the file API.TXT in the Windows distribution and README in the source code package.
The math behind fuzzy hashing was originally developed by Dr. Andrew Trigdell in a spam dectector he called spamsum.
The program runs on Microsoft Windows 2000, XP, 2003, and Vista. It is not supported on Windows 95, 98, Me, 3.1, 3.11, or 3.11 for Workgroups.
The program has been tested on Open Solaris, FreeBSD, Linux, and Mac OS X. It should compile and run on any other platform that is supported by the GNU Build Tools.
The latest stable version of ssdeep is version 2.1 and was released on 1 Jan 2009 You can take a look at the complete changelog, but here are the changes in the latest version:
| Version 2.1 | 1 Jan 2009 | Windows binary | SHA256 182b9f06299fdd9c2029be0e5dcabae193f5bc61f2da744d93f45c4f72ded692 |
| source code | SHA256 6bd39b604547813511094deb3c79e183c4906869bf23ac0d4a714ea43cf8ac15 |
There is no beta version of ssdeep right now. If you have any problems or would like to see something added to ssdeep, please send mail to the developer at ssdeep (at) jessekornblum (dot) com or visit the Sourceforge project page .
Although older versions of ssdeep are available for historical purposes,
you shouldn't use these unless you have a truly compelling reason.
| Version 2.0 | 2 Apr 2008 | Windows binary | SHA256 be93a7f288e2c798ae48234b2a05395035b2ade419b0c3da7acd909396a4b71c |
| source code | SHA256 3fe8b8dea4ed52102f6cbcb00e7311ee1ccc19134d42f3525c10c8969543be58 | Version 1.1 | 14 August 2006 | Windows binary | SHA256 fb2390457b4a4ba7a63bb6c6f31da3e3d0001eede7e6344d7b60632747437166 |
| source code | SHA256 79aafa665aa4d79134c2f585674229ebe2306b77e9184fcc28b1d79de2161c44 |
The ssdeep program and its API are licensed under the terms of version 2 of the GNU General Public License.
ssdeep was written by Jesse Kornblum of the ManTech International Corporation . Please send all correspondence to jesse (ddot] kornblum (at) mantech [dott) com.
Code for the threshold mode contributed by Jason Sherman. The testing of this program was made possible in part thanks to the generosity of the Computer Science Department at the University of Iowa.