As I write this, I am developing a skill (app) for Amazon’s Alexa voice service. A couple of days into the development I thought I’d accidently corrupted a critical file. Fortunately, I hadn’t, but it reminded me of the practice of discovering file changes by comparing file hash values against a baseline.
The basic idea is this: a script is used to compute hash values for the files of interest. First, a baseline is computed, then each day (or whenever) the hashes are recomputed and compared to the baseline. If the hash for a particular file has changed, then the file has changed.
For those unfamiliar with the concept of hash values, these are “unique” values associated with the content of a file. Any change in the file’s contents results in an unpredictable change in the hash value. We explain the process and have exercises in using hash values in Learning Tree’s system and network security introduction course. Gene Kim and Dr. Eugene Spafford of Purdue University developed a tool for using hash values to detect file changes in 1992. That open source tool has morphed into a commercial product, Tripwire.
Since I was doing the development work on my Windows desktop, I needed a Windows tool to compute the hashes.
Sigcheck is part of the Windows Sysinternals suite. From the Introduction: “Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains.” We are interested in the hash values. Here is the output for a copy of the Alexa Skills Kit interface I was using:
We are mostly interested in the SHA256 Hash. While one could use the shorter MD5 or SHA1, the SHA256 is longer (more bits) and stronger.
Now see what happens when I change the file by adding a blank line at the end.
Sigcheck can be downloaded from the link above.
Get-FileHash is a cmdlet for computing hash values for files. It uses SHA-256 by default.
Note that the value is the same as the one computed by Sigcheck. Get-FileHash is included with PowerShell.
The Microsoft File Checksum Integrity Verifier tool is another command line tool for computing hashes, but it only computes SHA-1 or MD5 hashes.
Any of these tools would work for checking file integrity (that is, checking to see whether a file had changed or not). Sigcheck is perfect for my situation because it can descend into sub-directories and compute values for files there, too. Get-FileHash is a PS cmdlet so I could write (or maybe find) a tool to manage changes as I want.
Systems programmers for Windows may know that the operating system has a FileSystemWatcher class that can be used to notify a user about file or folder content or property changes in real time. I chose the hashes because I don’t want or need real time notifications and because I wanted something pre-built (and I wanted to write a post about hash-computing tools!).
You can use the tools I’ve mentioned or third-party tools to compute hashes of files. Continue the conversation by tweeting to me at @ and share what tool you use and any good experiences.
To your safe computing,