How to Hash a Folder of Files: Build a Re-Verifiable Manifest

Introduction: Hashing Many Files at Once

Hashing a single file is easy. The harder, more realistic question is how to hash a folder — a whole directory of documents, photos, exports or evidence — and end up with something you can trust and re-check months later. The answer is a manifest: a single list that records every file in the folder next to its cryptographic hash. With one manifest you can prove, at any later point, that a copied or archived folder is exactly what it was when you recorded it. This guide explains the two ways to do it, how to include subfolders, and how to avoid the small mistakes that quietly break the proof. Throughout, we use e-Dex (formerly Hash Calculator), which does all of this offline on your own Windows machine.

Per-File Hashes vs One Hash for the Whole Folder

There are two genuinely different things people mean by "hashing a folder", and choosing the right one matters. The first is a manifest of per-file hashes: the tool walks the directory and records each file's path together with its own hash. If something changes later, the manifest tells you exactly which file moved, vanished, or was edited — file-level granularity. The second is a single combined hash for a packaged folder: you first package the directory into one container file (for example a ZIP archive), then hash that one archive to get a single value that seals the entire bundle. Use the manifest when you need to pinpoint changes inside a living set of files; use the single archive hash when you are sealing one frozen, packaged deliverable. Both rely on the same idea — a file hash verification — applied at different granularity.

How to Hash Recursively, Including Subfolders

Most real folders are nested: a parent directory with subfolders several levels deep. By default some tools only list the files sitting directly in the top level and silently skip everything underneath, which leaves gaps in your proof. To hash a folder properly you want recursive scanning switched on, so the tool descends into every nested subfolder and includes each file it finds. In e-Dex you add the folder, enable recursive scanning, and let it walk the whole tree. Each file is recorded with its relative path — its location within the folder rather than the absolute drive path — so the same structure can be re-verified even after the parent folder is moved or renamed. If you are hashing a single item rather than a tree, our guide to how to hash files on Windows covers the basics.

Producing a Hash Manifest You Can Re-Verify Later

The output that makes folder hashing useful is the manifest — a saved file that pairs every relative path with its hash (and ideally a few algorithms, such as SHA-256 alongside others, for resilience). Think of it as the folder's fingerprint sheet. e-Dex lets you export this list and keep it somewhere safe, separate from the data it describes. The whole point is reusability: a manifest is not a one-time check but a durable reference. Hand it over with a dataset, archive it with a project, or store it next to a backup, and anyone can later confirm the folder still matches it — no need to remember which algorithm you used or to re-type long strings of hex.

Verifying a Copied or Moved Folder Matches

This is where the manifest pays off. After copying a folder to another drive, restoring it from a backup, or receiving it from someone else, point e-Dex at the new location and re-run the manifest. The tool recomputes each file's hash and compares it against the recorded value, then prints a plain result per file: MATCH when the file is byte-for-byte identical, MISMATCH when even one byte differs. It also flags files that are missing (in the manifest but not in the copy) or added (present in the copy but not the manifest), so a half-finished or silently corrupted copy cannot pass as clean. A copy that returns all-MATCH with nothing missing or added is genuinely the same folder.

Common Gotchas: Hidden Files, Ordering and Empty Files

A few quiet traps can undermine an otherwise careful manifest. Hidden and system files are real contents of the folder; if your scan skips them, a later copy that drops or alters them can still report a false MATCH — so include hidden items. File ordering matters for readability and for any combined hash: use a consistent, deterministic order (such as sorting by relative path) so two runs of the same folder produce comparable manifests rather than the same data in a shuffled sequence. Empty, zero-byte files are easy to overlook, but an empty file still has a perfectly valid, well-defined hash and is part of the folder's true state — leaving it out means your manifest is incomplete. Get these three right and your folder hash becomes genuinely trustworthy.

Frequently Asked Questions

How do I hash a whole folder of files at once?
Add the folder to e-Dex and let it walk the directory, then compute a hash for every file it finds. Instead of hashing files one by one, you get a single list of file paths and their hashes, called a manifest. Enable recursive scanning if you also want files inside subfolders. e-Dex does all of this offline on your own Windows machine.

What is the difference between per-file hashes and one hash for the whole folder?
A per-file approach produces a manifest that lists each file and its own hash, so you can tell exactly which file changed. A single combined hash represents the whole set as one value, which is useful when the folder has been packaged into one archive file (such as a ZIP) and you hash that archive. The manifest is better for pinpointing changes; the single hash is better for sealing one packaged container.

How do I hash files inside subfolders recursively?
Turn on recursive scanning so the tool descends into every nested subfolder rather than only listing files at the top level. e-Dex records each file with its relative path, so the same folder structure can be re-verified later even if the parent folder is moved or renamed.

How do I verify that a copied or moved folder is unchanged?
Keep the manifest you produced when you first hashed the folder. Point e-Dex at the copied or moved folder and re-run the manifest. It recomputes each file's hash and compares it to the recorded value, printing MATCH where the file is identical and MISMATCH where a byte differs, plus any files that are missing or added.

Do hidden files and empty files get hashed too?
They should, if you want a complete record. Hidden files, system files and zero-byte empty files are all real contents of the folder, and leaving them out can cause a false MATCH later. An empty file still has a valid, well-defined hash. Make sure your scan includes hidden items and uses a consistent file ordering so two runs of the same folder produce comparable manifests.

Conclusion

Hashing a folder is really about producing one durable artifact — a manifest — that lets you prove a whole directory is unchanged, file by file, whenever you need to. Choose per-file hashes to pinpoint changes or a single archive hash to seal a package, scan recursively so nothing is missed, and watch the small gotchas around hidden, ordered and empty files. You can do all of it in minutes, offline, on a single Windows machine with e-Dex — the Digital Evidence Integrity Suite. Download it free. Working with portable media too? See how to hash a USB drive.