AKB1000006: Checksum Verification of Downloaded Files
by Kirsty
Published 4 July 2017 | Rev 1.0
What are Checksums?
When files are downloaded from the internet, it is possible to check the files for integrity and data corruption errors, by verifying their checksum, before you run the file.
Checksums are often published by authors, and if a computed checksum matches the given checksum, it is probable that the file has not been corrupted or accidentally altered.
If a download is from a public source, rather than a password-protected site log-in, this precaution reduces the risk of exposing your computer to tampered or corrupted files.
Where is the Checksum found?
Often, checksums are published on the download pages, and may be called a File Hash or similar. For instance, on KB4012558, the information is visible after clicking on the down arrow at “File Hash” near the bottom of the page; Ubuntu builds have the numbers on their web pages.
Which Checksum Type?
Checksums differ, according to their type. SHA1 has been deprecated being less than secure, but is still offered by Microsoft and others.
The new standard is SHA256, but SHA-3 family already exists. MD5 is now only considered suitable for checks against corrupt downloads, not for file security, due to extensive vulnerabilities. Other options also exist, but are less commonly used.
Calculate a Checksum to Compare:
There are several ways to generate checksums, to verify against the published checksum. Some are:
1) PowerShell
Using PowerShell 4.0 or later, the cmdlet “get-filehash [drive]:\[folder]\[filename]” gives the result as a SHA256 checksum by default, which may take some time, and other types can also be obtained with the use of parameters.
(For more about Powershell, see PowerShell- Learning Virtually on MV Academy & MSDN Channel 9 from Videos, eBook)
2) MD5 & SHA Checksum Utility
This popular utility for checking checksums is available as a limited-option free or a full-featured paid version, and is referred to by many sites discussing this subject. It is also Woody’s go-to solution.
3) Multihasher
This is another freeware utility, available from the author’s site and also from the major download sites. MrBrian uses this one.
4) 7-Zip
7-Zip is a file archiver, which has the option to calculate a checksum. Open the program, navigate to the downloaded file, right click on the file, select Calculate Checksum. Alternatively, right click on the file, click 7-Zip, then Open Archive, where you can also right click the file, to select Calculate Checksum.
What about Digital Signatures:
Digital signatures on files can be verified by right-clicking on the file from Explorer, click Properties, select the Digital Signature tab, select the signer’s name, then click on Details. View Certificate is available in the new window that opens. This is for both the signer and the counter-signer.
Really Advanced Checking – Verifying Cyrptographically Signed Hashes:
To protect from tampered hashes, such as in hacked websites, some checksums (hashes) are cryptographically signed.
Additional resources:
bhoover.com
maketecheasier.com
