Check if a file has been changed

Question

I have the following scenario:

A certain process (A) creates files and I want to write a program which reads these files to generate some statistical data.

The problem is simple. I want to be sure that the files created by (A) haven't been corrupted/faked. So the only one who is allowed to change/modify/create those files is (A). If any other process changed some of the files or creates similar files I want to detect this and mark these file as faked/corrupted. I need to be absolutely sure that these files haven't been changed in any way by another process than (A).

The process (A) is only running on windows system. More specifically windows xp or above.

Is this even possible? Is it enough to watch the filesystem or do I have to inject in some way (A) to get the output data before it's stored in a file?

score 1 · Answer 1 · answered Aug 21 '13 at 12:07

There is a security model for that it is called Clark-Wilson model. Only single app is allowed to change the data.

What I would do is I would create files with digital signature on them, and some freshness checks. That way your application B can be certain that files were written by A and not manipulated by any other process. Plus checking for freshness helps you mitigate replay attacks.

score 1 · Accepted Answer · answered Aug 21 '13 at 13:40

This is a DRM problem and there isn't really a secure answer. You need to use encryption so that only A can sign the data as authentic, but that requires A to know a secret that can be discovered by the user of the computer, thus they can fake the information.

You could try to have server B somewhere sign the data so that the owner of the system A is running on can't do it, but then how does B know that it is actually talking to a legit program A and not something the user cooked up. There isn't any way to determine this either.

The only real way to do it is to have every important action happen as the result of something on the server as well as all of the criteria that need to be correct to ensure a proper version of the data. This is why server side logic is used a lot in MMOs and some other online games to prevent cheating. If you don't own and control the hardware, you can't trust it. DRM tries to, but it is a losing battle unless we get to a point where the user that owns the system is just a "guest" of some third party that really runs the system, and that's a very scary world for many other reasons.

score 0 · Answer 3 · edited Jun 12 '20 at 13:48

Microsoft offers a free File Checksum Integrity Verifier for such purposes.

Information copied from the readme file:

1.What is fciv?

Fciv is a command line utility that computes and verifies hashes of files.

It computes a MD5 or SHA1 cryptographic hash of the content of the file. If the file is modified, the hash is different.

With fciv, you can compute hashes of all your sensitive files. When you suspect that your system has been compromised, you can run a verification to determine which files have been modified. You can also schedule verifications regularily.

2.Features:

Hash algorithm: MD5 , SHA1 or both ( default MD5).
Display to screen or store hash and filename in a xml file.
Can recursively browse a directory ( ex fciv.exe c:\ -r ).
Exception list to specify files or directories that should not be computed.
Database listing.
hashes and signature verifications.
store filename with or without full path.

3.Syntax:

Usage:  fciv.exe [Commands] <Options>
Commands: ( Default -add )
-add    <file | dir> : Compute hash and send to output (default screen).
  dir options:
  -r       : recursive.
  -type    : ex: -type *.exe.
  -exc file: list of directories that should not be computed.
  -wp      : Without full path name. ( Default store full path)
  -bp      : base path. The base path is removed from the path name of each entry

-list   : List entries in the database.
-v     : Verify hashes.
       : Option: -bp basepath.

-? -h -help : Extended Help.


Options:
        -md5 | -sha1 | -both    : Specify hashtype, default md5.
        -xml db                 : Specify database format and name.

To display the MD5 hash of a file, type fciv.exe filename

Compute hashes:

fciv.exe c:\mydir\myfile.dll
fciv.exe c:\ -r -exc exceptions.txt -sha1 -xml dbsha.xml
fciv.exe c:\mydir -type *.exe
fciv.exe c:\mydir -wp -both -xml db.xml

List hashes stored in database:

fciv.exe -list -sha1 -xml db.xml

Verifications:

fciv.exe -v -sha1 -xml db.xml
fciv.exe -v -bp c:\mydir -sha1 -xml db.xml

4.Database storage format:

xml file.

The hash is stored in base 64.

5.Verification:

You can build a hash database of your sensitive files and verify them regularily or when you suspect that your system has been compromised.

It checks each entry stored in the db and verify that the checksum was not modified.

score 0 · Answer 4 · answered Aug 21 '13 at 12:18

I would probably make sure that the application that generates the files also creates an MD5 hash sum of the file. Store that hash sum to a seperate file somewhere.

At a later point, probably when you need to make use of the file, you can rehash the file and ensure the MD5 sum still matches.