Getting hashes with Microsoft’s File Checksum Integrity Verifier (FCIV)

Are you responding to an incident? Are you trying to hash particular portions of the disk for comparison with a known good hashes? Are you questioning whether or not to trust the binaries on the possibly compromised system disk in order to get said hashes? Well have no fear, Microsoft has a portable program called File Checksum Integrity Verifier (FCIV) that can help and it can be downloaded here. Since it comes from Microsoft, it will by signed by them as well.

The portable program can be executed from a CD\DVD, flash drive, or network share. With it, we can get MD5 and\or SHA1 hashes files on a system by either printing them to screen or outputting them to another file or database. With this in mind, we can feel better about our capture source and method and easily save the day! We can accomplish this using the below.

Recursively capturing hashes from a specified directory.

Going beyond that, say we have remediated the compromise and are now trying to help the organization get back on their feet. We have determined they don’t have a good baseline of hashes from their gold master image. FCIV can help with that as well as we can run the program and output the hashes and file names to an xml database. Said database can be referenced at a later date to determine if the files and hashes in the database are still the same. An example of this is shown below.

Recursively getting hashes of a directory which will serve as a baseline. Said hashes are output to a xml for later referencing.

On another system, we then are able to recursively get the hashes of the same directory in our database and compare those findings. In this case, the hashes are the same.

Shown below is what it would look like if some of the hashes were not the same.

Common uses of the program are shown below.

Save the hashes from c:\windows\system32\ to a database called baselines.xml

Prints the hashes from file in c:\windows\system32 and its sub-directories.

Lists all the hashes and files in the specified database

Compares the hashes of files in a specified location with those in the specified database

The help file is rather useful as it lists the below information.