How to Create a File Hash Manifest (and Verify It Later)

Introduction

When you are responsible for a folder full of important files — a backup, a delivery, an audit pack, an evidence set — one question keeps coming back: are all of these files still exactly what they were? Checking them one by one does not scale. The practical answer is a file hash manifest: a list of files and their hashes that lets you re-verify the whole set in one pass. This guide explains what a manifest contains, why teams rely on one, and how to create and later verify a manifest on your own machine with e-Dex (formerly Hash Calculator).

What a File Hash Manifest Contains

A manifest is simply a table with one row per file. Each row records the file path (relative to the set so it stays valid if the folder moves), the file size in bytes, the hash algorithm used, the hash value itself, and the date the value was recorded. A cryptographic hash is a fixed-length fingerprint of a file's contents: change a single byte and the value changes completely. With those five fields, anyone can locate every file in the set and confirm that its bytes still match the fingerprint you recorded.

Why Teams Use a Manifest

A manifest turns “trust me, nothing changed” into something you can prove on demand. Auditors attach one to working papers so a client can confirm the data they received is the data that was handed over. Backup and IT teams record a manifest at backup time and re-check it after a restore to catch silent corruption. During large file transfers, a manifest confirms that every file arrived intact rather than truncated. And for evidence sets, it lets an investigator re-verify an entire batch months later instead of trusting memory. The shared idea is the same: record the fingerprints once, re-verify the whole set whenever you need to.

How to Create a Manifest

Creating a manifest is a two-move process. First, hash every file recursively: point e-Dex at the top folder and let it walk into every subfolder so nothing is missed. Second, export the list — e-Dex writes out each file's path, size, algorithm, hash value and date as a single manifest you can keep. Because the work happens locally, even very large sets are recorded in one pass without uploading anything. If your set is a single deep directory tree, our guide on how to hash a folder of files walks through the recursive scan in more detail.

How to Verify Against It Later

Verification reverses the process. You re-hash the file set with the same algorithm and compare each value against the manifest. e-Dex does the comparison for you and flags every discrepancy: a changed hash means the file was altered or corrupted, a missing path means a file was removed, and an unexpected extra file means something was added that was not in the original set. Instead of squinting at two columns of hex, you get a clear list of what matched and what did not, plus an overall result for the whole batch.

A Note on Formats

A manifest can live in more than one shape. The simplest is a plain checksum file — one hash and filename per line — which is tiny, human-readable and easy to share alongside a download. A richer structured manifest additionally carries sizes, algorithms, dates and an overall verification result, which is what you want for audits and evidence. Both serve the same purpose: a portable record you can re-verify on any machine. e-Dex can export the list so the set travels with its own proof of integrity.

Best Practices

Two habits make a manifest genuinely trustworthy. First, store the manifest separately from the files it describes — on different media or a different location — so a problem that corrupts the data does not silently corrupt its record at the same time. Second, sign or timestamp the manifest so any later edit is detectable; an RFC-3161 trusted timestamp seals the exact moment it was produced, and a digital signature binds it to whoever created it. For backup-specific workflows, our backup validation checklist shows where a manifest fits into a full restore test.

Frequently Asked Questions

What is a file hash manifest?
A file hash manifest is a list of files and their cryptographic hashes, usually with the relative path, size, algorithm and date for each entry. It lets you re-verify a whole set of files later by re-hashing them and comparing the values, so you can prove the set is unchanged. Teams use it for audits, backups, transfers and evidence sets where the integrity of many files must be checked at once.

What does a file hash manifest contain?
Each row in a manifest typically records the file path (relative to the set), the file size in bytes, the hash algorithm used, the hash value itself, and the date the value was recorded. Together these fields uniquely identify each file and its content, so a verifier can locate every file and check that its bytes still match the recorded fingerprint.

How do I verify files against a manifest later?
Re-hash the file set with the same algorithm and compare each new value against the manifest. If every value matches, the set is intact. If a hash differs, that file has been altered or corrupted; if a path is missing, a file has been removed; and if an extra file appears, it was not in the original set. e-Dex performs this comparison and flags any missing or changed file automatically.

What format is a file hash manifest stored in?
A manifest is commonly saved as a plain checksum file or a structured manifest document. A checksum file lists one hash and filename per line and is easy to share, while a structured manifest can also carry sizes, algorithms, dates and an overall verification result. e-Dex can export the list so you can re-verify the set on any machine later.

Where should I store a file hash manifest?
Store the manifest separately from the files it describes, so a problem that affects the data does not silently affect its record too. For higher assurance, sign or timestamp the manifest so any later edit is detectable. Keeping the manifest in a different location, and signing or time-stamping it, makes it a trustworthy reference you can return to months later.

Conclusion

A file hash manifest is the most reusable record in the integrity toolkit: hash the set once, and you can re-verify every file in it for years. Whether you are protecting a backup, certifying a delivery or preserving an evidence set, the workflow is the same — record the fingerprints, store the manifest safely, and compare against it whenever trust is questioned. You can create and verify one in minutes, offline, on a single Windows machine with e-Dex — the Digital Evidence Integrity Suite. Download it free and give your files a record you can always check back against.