Using the File Checksum Integrity Verifier

This exercise complements material in the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide.

Here’s a method of using hashing to verify the integrity of several files.

Requirements: This exercise assumes you’re running a Windows system and know how to access the command line. You’ll need a copy of the File Checksum Integrity Verifier (fciv.exe), which is available as a free download. Search Google with “Microsoft Knowledge Base Article 841290” if necessary to download a copy.

Setup The Lab

1. Create a folder on your system and name it Labs.

2. Within this folder, create another folder named exefiles.

3. Copy the fciv.exe application file into the Labs folder.

4. Copy some files into the Labs\exefiles folder.
I copied the following files into this folder:

  • md5sum.exe
  • sha1sum.exe
  • sha1sum.dll

Store the Hashes in an XML File

1. Open a command line on your Windows system with administrative permissions.

2. Change the directory with the following command:

cd \labs

3. Calculate and view the SHA1 hashes in the exefiles folder with the following command:

fciv -sha1 exefiles\

4. Calculate and store the SHA1 hashes into a file called db.xml with the following command:

fciv -sha1 exefiles\ -xml db.xml

The first time you run the command it gives this error “Error loading XML document” because the document doesn’t exist. However, it creates the document so you can ignore the error.

If desired, you can view the contents of the db.xml file with the following command:

type db.xml

Verify the Integrity of the Files

1. You can check the integrity of the files by comparing the current hash with the hashes stored in the db.xml file using the following command:

fciv -v -sha1 -xml db.xml

Note that this command looks at the file names in the db.xml file so you don’t need to specify the folder. It then calculates the hashes for each of these files and compares the calculated hash with the stored hash.

A key message here is:

All files verified successfully

2. Change the names of two of the files, renaming each to the name of the other file.

For example, I have the following two files in my directory.

  • md5sum.exe
  • sha1sum.exe

I renamed md5sum.exe to sha1sum.exe.

I renamed sha1sum.exe to md5sum.exe.

This effectively makes both files look like they are no longer the same.

3. Rerun the verification command with the following command:

fciv -v -sha1 -xml db.xml

You will see an output similar to the following:

// File Checksum Integrity Verifier version 2.05.
Starting checksums verification : 04/19/2017 at 12h15’59

List of modified files:
Hash is : 08ab4b9b40448d77079f61751f989702bbebe2ed
It should be : 7648ec1a2d8c8b65a024973d30b4b2dc48ad0cec

Hash is : 7648ec1a2d8c8b65a024973d30b4b2dc48ad0cec
It should be : 08ab4b9b40448d77079f61751f989702bbebe2ed

This indicates that the files (md5sum.exe and sha1sum.exe) have been modified. Executable files are rarely modified, so it indicates that the files might have been infected with malware and they should not be trusted.

Back to SY0-501 Security+ labs.