Getting hashes with Microsoft’s File Checksum Integrity Verifier (FCIV)

Are you responding to an incident? Are you trying to hash particular portions of the disk for comparison with a known good hashes? Are you questioning whether or not to trust the binaries on the possibly compromised system disk in order to get said hashes? Well have no fear, Microsoft has a portable program called File Checksum Integrity Verifier (FCIV) that can help and it can be downloaded here. Since it comes from Microsoft, it will by signed by them as well.

The portable program can be executed from a CD\DVD, flash drive, or network share. With it, we can get MD5 and\or SHA1 hashes files on a system by either printing them to screen or outputting them to another file or database. With this in mind, we can feel better about our capture source and method and easily save the day! We can accomplish this using the below.

Recursively capturing hashes from a specified directory.

PS C:\Users\blue\Desktop> .\fciv.exe c:\users\blue\Desktop\Test_Files -r -both
// File Checksum Integrity Verifier version 2.05.
Start Time: 01/15/2017 at 22h45'33''

		MD5				SHA-1
ecaa88f7fa0bf610a5a26cf545dcd3aa 57218c316b6921e2cd61027a2387edc31a2d9471 c:\users\blue\desktop\test_files\$temp\UsnJrnl_2017-01-04_22-41-07.csv
e8b28fc8756de01364384db4c011318e 2b36668f7b719759affcffc34ab4cb55619c8f9c c:\users\blue\desktop\test_files\$temp\UsnJrnl_2017-01-04_22-41-07.log
42cdc97dbacfb03fb1ee72a298e18f1d ecf56a218ccea082728de42dcaa414d31f156c6c c:\users\blue\desktop\test_files\$temp\UsnJrnl_2017-01-04_22-41-07.sql
ecaa88f7fa0bf610a5a26cf545dcd3aa 57218c316b6921e2cd61027a2387edc31a2d9471 c:\users\blue\desktop\test_files\$temp\UsnJrnl_2017-01-04_22-41-08.csv
c51c6f4ebf7e9101bf703dfa508205f8 85a7652e72cddfadb837aa25f2798fda77a65fb2 c:\users\blue\desktop\test_files\$temp\UsnJrnl_2017-01-04_22-41-08.log
b4d416bdce468842319ca430311071b8 b618b2d931def5418cd0d5d5c7dc7764a1374233 c:\users\blue\desktop\test_files\$temp\UsnJrnl_2017-01-04_22-41-08.sql
ecaa88f7fa0bf610a5a26cf545dcd3aa 57218c316b6921e2cd61027a2387edc31a2d9471 c:\users\blue\desktop\test_files\$temp\UsnJrnl_2017-01-04_22-41-28.csv
c51c6f4ebf7e9101bf703dfa508205f8 85a7652e72cddfadb837aa25f2798fda77a65fb2 c:\users\blue\desktop\test_files\$temp\UsnJrnl_2017-01-04_22-41-28.log
d7814ca0254688a5a68bc919acd2f003 37ff70107c00663ebc2db7a52684cec7b62019b4 c:\users\blue\desktop\test_files\$temp\UsnJrnl_2017-01-04_22-41-28.sql
e081eaaa07ec3cbc71dbc374e85b3031 3e0eae5b7d6802b5e64129bd610e22ec8f49b001 c:\users\blue\desktop\test_files\.cab
253f9b18f29e39c209f221e3c419451e 8d57c8fa70fd2545c8e04ce18b7840682b35be7b c:\users\blue\desktop\test_files\
d41d8cd98f00b204e9800998ecf8427e da39a3ee5e6b4b0d3255bfef95601890afd80709 c:\users\blue\desktop\test_files\
d41d8cd98f00b204e9800998ecf8427e da39a3ee5e6b4b0d3255bfef95601890afd80709 c:\users\blue\desktop\test_files\
69b8789ed87248ab5b69c0421adf6e54 3a39c952ab5cf90eae0f600395accaf5c23b1f9d c:\users\blue\desktop\test_files\
d41d8cd98f00b204e9800998ecf8427e da39a3ee5e6b4b0d3255bfef95601890afd80709 c:\users\blue\desktop\test_files\
01e868e0d01233266fbb5e4e7767bf28 676aadd9e9c26006f878c9772c3155fef5f84678 c:\users\blue\desktop\test_files\99099_mctray.txt
9b0e1e508d2e75599436bf78e2084ea8 a6bca02c4d347e2a9cc14e776247af88cdd731a4 c:\users\blue\desktop\test_files\changelog.txt
15535741a60b3e05af989d2e29f0bac4 c02e82e56a79e02acae4078e5c37aee92bc8260c c:\users\blue\desktop\test_files\data.txt
ba42f09f3a3dda83aeb1f476c96e17ec 82635f692615e2364141439614af2b91e026f3a1 c:\users\blue\desktop\test_files\__Old_Cabs\
cb778eef2b92a57089ccd4aee9feeaf0 49a3fda85c1962e7b190fe649e6951fed4f19ba2 c:\users\blue\desktop\test_files\__Old_Cabs\

End Time..: 01/15/2017 at 22h45'34''

	Processed 3 directories
	Processed 20 files
Errors have been reported to fciv.err

Going beyond that, say we have remediated the compromise and are now trying to help the organization get back on their feet. We have determined they don’t have a good baseline of hashes from their gold master image. FCIV can help with that as well as we can run the program and output the hashes and file names to an xml database. Said database can be referenced at a later date to determine if the files and hashes in the database are still the same. An example of this is shown below.

Recursively getting hashes of a directory which will serve as a baseline. Said hashes are output to a xml for later referencing.

PS C:\Users\blue\Desktop> .\fciv.exe -both -xml c:\users\blue\Downloads\baseline.xml -r c:\users\blue\Desktop\Test_Files
// File Checksum Integrity Verifier version 2.05.
Start Time: 01/15/2017 at 22h43'20''

Error loading XML document.
Create New XML database

End Time..: 01/15/2017 at 22h43'21''

	Processed 3 directories
	Processed 20 files
Errors have been reported to fciv.err

PS C:\Users\blue\Desktop>

On another system, we then are able to recursively get the hashes of the same directory in our database and compare those findings. In this case, the hashes are the same.

PS C:\Users\green\Desktop> .\fciv.exe -v -xml C:\users\green\Downloads\baseline.xml
// File Checksum Integrity Verifier version 2.05.
Could not set the event message file.
Starting checksums verification : 01/15/2017 at 22h47'29

All files verified successfully

End Verification : 01/15/2017 at 22h47'29

Shown below is what it would look like if some of the hashes were not the same.

PS C:\Users\blue\Desktop> .\fciv.exe -v -xml C:\users\blue\Downloads\baseline.xml
// File Checksum Integrity Verifier version 2.05.
Could not set the event message file.
Starting checksums verification : 01/16/2017 at 08h46'26

List of modified files:



	Hash is		: 15535741a60b3e05af989d2e29f0bac4

	It should be	: 6faeb59827b4dcec13aba0f45a4b4e8e

End Verification : 01/16/2017 at 08h46'29

Common uses of the program are shown below.

Save the hashes from c:\windows\system32\ to a database called baselines.xml

fciv.exe -both -xml C:\users\bob\desktop\baseline.xml -r c:\windows\system32

Prints the hashes from file in c:\windows\system32 and its sub-directories.

fciv.exe c:\windows\system32 -r -both

Lists all the hashes and files in the specified database

fciv.exe -list -both -xml C:\users\bob\desktop\baseline.xml

Compares the hashes of files in a specified location with those in the specified database

fciv.exe -v -xml C:\users\bob\desktop\baseline.xml

The help file is rather useful as it lists the below information.

PS C:\Users\blue\Desktop> .\fciv.exe
// File Checksum Integrity Verifier version 2.05.
Usage: fciv.exe [Commands] <Options>

Commands: ( Default -add )

-add <file | dir> : Compute hash and send to output (default screen).
dir options:
-r : recursive.
-type : ex: -type *.exe.
-exc file: list of directories that should not be computed.
-wp : Without full path name. ( Default store full path)
-bp : specify base path to remove from full path name

-list : List entries in the database.
-v : Verify hashes.
: Option: -bp basepath.

-? -h -help : Extended Help.

-md5 | -sha1 | -both : Specify hashtype, default md5.
-xml db : Specify database format and name.