How to Verify the Security of File Downloads with FCIV (SHA1SUM) Checksum
Have you ever waited for a large file to download overnight, sometimes even pausing and resuming for days, only to find out in the end, that the large 8GB file could not be extracted or opened in Windows!? Have you tried downloading games and movies over file sharing programs and websites -- only to find out that the file is tampered with viruses and isn't exactly what it should have been?
Know that there is a way to verify the "integrity" of each file on your computer. Integrity in this sense means that we are able to verify that the file we have downloaded or received is the original file that was intended by its author and not tampered by hackers, or corrupted by a bad internet connection, or an entirely different file that was cleverly renamed to match the original content.
Each file on your computer can its own unique "fingerprint" and can be identified as unique even if it was saved along usb flashdrives, or sent via email, or even distributed via file sharing and P2P applications. This unique fingerprint of a file is true only until the file content is modified. Once it is modified, the file's fingerprint changes and it will never match that of the old file.
This fingerprint for each file can be acquired by running a
"cryptographic hash" against the file, and in turn, it will generate the file's unique fingerprint which is technically called its "checksum"
A cryptographic hash is a very complex mathematical computation that the computer performs against the specific file. The kind of computation that it performs is dependent on the cyptographic algorithm that the user chooses.
Code:
In example:
Running cryptographic hash algorithnm "A" on file example.txt will yield a unique checksum that we can call as checksum-A
Running cryptographic hash algorithm "B" on the same file example.txt will yield a unique checksum that we can call as checksum-B
Note that checksum-A will never be the same as checksum-B.
In the event that the user modifies the file example.txt, running both cryptographic algorithms A and B will yield different results as the original results before the file was last modified.
This nature of the changing checksum after every minor edit on the file content ensures that each file version keeps a unique fingerprint, and cannot be mistaken for being the same file -- regardless of its author, filename, and date/time that the file was modified or created.
=============================================
FCIV and CHECKSUM INSPECTION
Windows provides the free command-line tool called "FCIV -- Microsoft File Checksum Integrity Verifier"
Download Microsoft File Checksum Integrity Verifier from Official Microsoft Download Center
In this tutorial, I will refer to "Microsoft File Checksum Integrity Verifier" as FCIV.
1. Download FCIV from the installation link above.
Extract the contents, notice that there are only two files inside the very small zip file
Do not double-click on fciv.exe right away! A command-line window will briefly flash into your screen and disappear. Take note that FCIV is run via Windows command line, and not via mouse with a point-and-click GUI.
2. Locate the source website or documentation of the file that you have downloaded. Notice that most websites indicate a string of random text that is labelled as a "hash". Take note of this hash text and notice if it says "MD5" or "SHA1"
In the example above, I am downloading the 3-gigabyte large installer of Kali Linux. Take note that each version of the installer has a unique checksum that the official Kali Linux developers have released and confirmed for public distribution.
3. I begin the download and leave it overnight.. This is a large download done at a measly 1mbps connection. I leave it overnight hoping that the next day it has completed. I check in the morning and no errors are reported.. It seems to have downloaded completely now..
4. Now to check if the download will work.. Note that the file is indeed 3 gigabytes large! To add to the complication of testing, the file is a .ISO file. It can only be tested if we burn it to CD and use it to install on a hard drive. This is indeed a long series of tasks, and the question of possibly having downloaded a corrupt file seems only to be answered if Kali Linux installs on a hard drive without any problems.
5. We verify that the download is intact and not tampered using FCIV!
Temporarily move or copy the file that you have downloaded into the same folder as FCIV.exe
Run FCIV by opening an MS-Dos Prompt
Now run FCIV and give it the filename of Kali Linux installer file, and adding the parameter "
-sha1"
Notice that it takes a while for FCIV to finish its hashing..
During this time, FCIV performs the SHA1 type of cryptographic hash against the Kali Linux installer file. Because the Kali Linux installer file is sufficiently large in size of 3.1 gigabytes, it takes a minute or two for FCIV to complete the hash.
And now, FCIV has determined that the checksum of the Kali Linux installer against a SHA1 type algorithm is
518aad75c2c5f1c60b2068760712f7e82c02d703
Checking this value against the verified checksum given by the official Kali Linux Homepage
We have successfully verified that our downloaded Kali Linux installer is exactly the same copy as the provided by the Official Kali Linux homepage.
This verifies that:
- our download has completed successfully
- the downloaded installer file is valid and secure
- it is secure in meaning that it has not been tampered or altered or corrupted during the course of the download.
TAKE NOTE THAT:
A slight data corruption or alteration from the original file will always yield a different checksum. In this way, file fraud, or accidental data corruption is prevented.
WHAT TO DO IF THE CHECKSUM DOES NOT MATCH!??
1. Verify that you used the correct algorithm in finding the cheksum.
See the help options of FCIV for the proper syntax
Code:
C:\fciv>fciv /?
//
// File Checksum Integrity Verifier version 2.05.
//
Entry to Add: Path is too long or missing. Exiting...
Usage: fciv.exe [Commands] <Options>
Commands: ( Default -add )
-add <file | dir> : Compute hash and send to output (default screen).
dir options:
-r : recursive.
-type : ex: -type *.exe.
-exc file: list of directories that should not be computed.
-wp : Without full path name. ( Default store full path)
-bp : specify base path to remove from full path name
-list : List entries in the database.
-v : Verify hashes.
: Option: -bp basepath.
-? -h -help : Extended Help.
Options:
-md5 | -sha1 | -both : Specify hashtype, default md5.
-xml db : Specify database format and name.
To display the MD5 hash of a file, type fciv.exe filename
2. Do not attempt to install or run the downloaded file if the checksum does not match.
Re-download the file. After a second redownload and you still obtain the same checksum, it could mean that the download source has altered the files compared to the original checksum as posted on their website.
Select a different download mirror.
Contact the source of the file and verify the proper checksum.
WHERE ELSE TO USE FCIV AND CHECKSUMS?
EVERYWHERE!
Remember that you yourself can generate and distribute any file via email attachment, or usb storage, and even to file sharing and P2P Applications.
If you wish to ensure that the files you send out are intact and unaltered, perform a hash of the file and inform the receiver of its proper checksum and hash algorithm.
Point the receiver back to this tutorial so he also knows how to properly verify that the integrity of his received file is correct and secure!