How to use the Microsoft FCIV command-line checksum tool
Downloading files from the Internet always poses a risk, but there are strategies that can make the process more secure. In this tip, Michael Cobb explains how to use the Microsoft FCIV tool to check the hash values of downloaded files and create hashes and checksums of you own.
Security pros often ask about the weaknesses of the Message-Digest version 5 algorithm (MD5) and whether it should still be used. MD5 is a cryptographic one-way hash function that produces a value based on input data; it is used to verify the integrity of information to ensure it hasn't been interfered with.
While MD5 is no longer considered cryptographically secure and is being replaced by the SHA-2 family of hash functions, it is nevertheless still widely used to provide a hash value for files that are downloaded from the Internet, phpMyAdmin and MySQL being just a couple of examples. By calculating the MD5 hash of a downloaded file and comparing it to the MD5 hash provided by the website, it's possible to establish the file's integrity and validate that the file has arrived intact and is the file posted by the site, and not one that has been tampered with by a hacker. Although, as mentioned above, MD5 is considered cryptographically broken, it would be nigh on impossible for someone to alter the file to make it malicious and end up with the same MD5 checksum, meaning this type of validation effort is still a useful exercise.
But how do you calculate the MD5 hash value of a file you've downloaded when you're running a Windows-based PC? Microsoft provides a free but unsupported command-line utility called File Checksum Integrity Verifier (FCIV) that computes MD5 or SHA-1 cryptographic hashes for files. It can also perform various other useful tasks. In this tip, we'll take a closer look at this tool.
The Microsoft FCIV install program contains two files, fciv.exe and ReadMe.txt -- the latter contains information and instructions on how to use FCIV. The install program asks where you would like to install FCIV, and I recommend the Windows\System32 folder so you can call FCIV from any folder without having to type the full path to access it each time you want to run the command.
To calculate the MD5 hash for any downloaded file, all that's required is to open a command prompt* at the folder containing your downloaded file and type the following:
To display the SHA-1 hash of the file you would change the command to:
fciv.exe -sha1 downloadedfilename
In order to generate a hash value for a file that you're going to post to your own website for users to download, you would simply use the same commands. FCIV can also recursively generate hash values for all the files in a folder and its subfolders so you could create hash values for your entire C drive with the command:
fciv.exe c:\ -r
A more useful exercise, however, would be to calculate a checksum for each system file and store them in an XML file database so you can see if any of them have been changed at a later date. FCIV also works as a command-line checksum tool, and the following command will calculate and store the hash value for every file in the systemroot -- the folder where the operating system files are located -- and store them in an XML file called windowsystemhashes.XML located in the C drive:
fciv.exe -add %systemroot% -r -XML c:\windowsystemhashes.XML
To speed up this command, you could calculate hashes only for program file types - .exe, which are the most likely to be tampered with.(However, if you have time, it makes sense to create a hash for every file. On a Web server, for instance, it would be important to know if any .html or script files such as .php or .aspx have been changed.) If so, the command would be:
fciv.exe -add %systemroot% -r -type *.exe -XML c:\windowsystemhashes.XML
With these checksums stored, if you suspect your system has been attacked and you want to know if any of your system files have been corrupted or changed, you can compare and verify the current checksums with those stored in the XML file with the following command:
fciv -v -XML c:\windowsystemhashes.XML
FCIV will return a code 0 to indicate a hash is verified, or a 1 to indicate that it is different and therefore needs further investigation. It's important to store your XML file database on read-only media, such as a CD-ROM; otherwise a clever attacker could update the database with new hashes that match any infected files.
FCIV runs on Microsoft Windows 2000, Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2. If you don't like working with the command prompt and prefer a GUI, you can find a variety of free GUI-based checksum calculators on the Web.
*If you're running Windows Vista or Windows 7, open up Windows Explorer and browse to the folder containing the file you wish to check. Hold the Shift key while you right-click the folder in the right pane of the Windows Explorer window and the pop-up context menu will contain an "Open Command Prompt Here" option. If you're running Windows XP, download the Windows XP PowerToys Add-in Open Command Window Here utility for a similar pop-up menu option.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.