A PowerShell-based file integrity monitoring tool that detects unauthorized changes to files by comparing cryptographic hashes against a known baseline.
File Integrity Monitoring is a critical security practice that helps detect unauthorized modifications to files. This tool creates a baseline of file hashes and continuously monitors for changes, alerting you when files are created, modified, deleted, or restored.
- SHA-512 cryptographic hashing for reliable change detection
- Real-time continuous monitoring with configurable intervals
- Recursive directory scanning (includes subdirectories)
- Comprehensive logging to both console and file
- Color-coded console output for quick visual identification
- Detection of new, modified, deleted, and restored files
- Built-in log viewer with syntax highlighting
- Log management (view and clear options)
- Centralized configuration for easy customization
- Windows PowerShell 5.1 or later
- Windows, macOS, or Linux (with PowerShell Core)
When you run the script, you will see the following menu:
====================================
File Integrity Monitor (FIM)
====================================
[A] Collect new Baseline
[B] Begin monitoring files
[C] View log file
[D] Clear log file
[Q] Quit
Creates a new baseline by calculating SHA-512 hashes for all files in the target directory. This should be run:
- During initial setup
- After making authorized changes to files
- When you want to establish a new "known good" state
Starts continuous monitoring of the target directory. The monitor will alert you when:
| Event | Description | Console Color |
|---|---|---|
| NEW | A file was created that wasn't in the baseline | Green |
| MODIFIED | A file's content has changed (hash mismatch) | Yellow |
| DELETED | A baseline file no longer exists | Red |
| RESTORED | A previously deleted file has reappeared | Cyan |
Displays the contents of the log file with color-coded entries matching the event types.
Deletes the existing log file to start fresh.
Configuration variables are located at the top of the script for easy customization:
$TargetFolder = ".\Files" # Directory to monitor
$BaselineFile = ".\baseline.txt" # Baseline storage location
$LogFile = ".\fim_log.txt" # Log file location
$HashAlgorithm = "SHA512" # Hashing algorithm
$MonitoringInterval = 1 # Check interval in secondsYou can change the $HashAlgorithm variable to any algorithm supported by PowerShell's Get-FileHash cmdlet:
- SHA1
- SHA256
- SHA384
- SHA512 (default, recommended)
- MD5 (considered insecure)
All events are logged to fim_log.txt with timestamps and severity levels:
-
Baseline Creation: The tool scans the target directory and calculates a SHA-512 hash for each file. These hashes are stored in
baseline.txtin the formatfilepath|hash. -
Monitoring Loop: During monitoring, the tool:
- Scans the target directory every N seconds (configurable)
- Calculates current hashes for all files
- Compares against the baseline dictionary
- Alerts on any discrepancies
- Tracks alert state to prevent duplicate notifications
-
Change Detection:
- New files: File path not found in baseline
- Modified files: Hash doesn't match baseline
- Deleted files: Baseline path no longer exists on disk
- Restored files: Previously deleted file reappears
- Security Monitoring: Detect unauthorized changes to critical system files
- Configuration Management: Track changes to configuration files
- Compliance: Meet regulatory requirements for file integrity monitoring (PCI-DSS, HIPAA, etc.)
- Development: Monitor build artifacts or deployment directories
- Forensics: Establish baselines for incident response
Disclaimer: This tool is provided for educational and legitimate security monitoring purposes. Always ensure you have proper authorization before monitoring files on any system.