Microsoft releases often interesting tools to help systemadministratorsand incident handlers to investigate suspicious activities on Windows systems. In 2012, they released a free tool called FCIV(File Checksum Integrity Verifier)(1). It is a stand alone executable which does not require any DLL or other resources. Just launch it from any location.Its goal is to browsea file systemor some directories recursivelyand togenerate MD5/SHA1 hashes of all the files found. The results are saved in a XMLdatabase. FCIVisused in proactive and reactive ways. The first step is tobuild a database of hashes on a clean computer (proactive). Thenthe generated database is re-used to verify a potentially compromised system (reactive)
Most big organizations work today with system images. The idea is to scan anunusedclean system(but which will of course receives patches and software updates with a system like WSUS)and to generate a baseline of">PS: C:">.job -type *.jar