home  /  tools  /  file-integrity-monitor-detect-changes

File Integrity Monitor — Detect Tampering

Take a SHA-256 snapshot of a folder today; check back next week, next month, or after an incident, and the tool tells you exactly which files were added, deleted, or modified since the snapshot was taken. Same idea as tripwire / aide / Samhain — the established integrity monitors — but with a GUI, no daemon, no config files. Just point at a folder, snapshot, monitor.

How it works

The first run walks the folder and computes a SHA-256 hash for every file. Hashes plus file metadata (size, mtime, path) are stored in a snapshot file (JSON, human-readable). Subsequent runs walk the folder again, recompute the hashes, and diff against the snapshot. Added files are listed (in the folder now, not in the snapshot). Deleted files are listed (in the snapshot, missing now). Modified files are flagged where the SHA-256 changed.

How to use it

  1. Open Tools → Security & Cryptography → File Integrity Monitor.
  2. Pick the folder you want to monitor (your web root, application binaries, config directory, source code repo, etc.).
  3. Click Take snapshot. Save the snapshot JSON somewhere safe (ideally on different storage than the monitored folder — e.g. a USB key in a drawer).
  4. Later, open the snapshot file and click Compare against folder. You get the three lists: added / deleted / modified.

When this matters

Web server compromise detection: A monthly snapshot of /var/www/ catches injected backdoor PHP files. Config drift: Monitor /etc/ on a production server. Backup verification: Snapshot a backup folder once, verify the data hasn't bit-rotted by re-comparing later. Build reproducibility: Snapshot a clean build output, verify rebuilds match.

Questions and answers

How long does a snapshot take?

Limited by disk read speed. A folder with 10 GB of files takes a couple of minutes on a modern SSD. Re-compare is the same — both passes read every file.

What if a file's mtime changed but content didn't?

It's reported as "touched but unchanged" — handy for catching things like rsync's timestamp updates that don't actually modify content.

Can I monitor multiple folders?

Yes — save one snapshot per folder. Snapshots are independent files.

Is the snapshot tamper-resistant?

Best practice: store the snapshot on different storage than the monitored folder, ideally read-only or offline media. An attacker who can rewrite both your folder AND your snapshot is unstoppable by integrity monitoring alone — but most attackers don't check for one.

Related tools

Get MiniMax Converter

Cross-platform desktop app. Linux free for non-commercial use; Windows & macOS one-time €20 license. No subscription, no telemetry, no account.

Download Buy license €20