🔍 File Integrity Monitor
A Python-based File Integrity Monitor (FIM) that uses SHA-256 hashing to detect unauthorised changes to files — just like enterprise tools Tripwire and AIDE. Supports both snapshot-based scanning and real-time live monitoring.
📸 Preview
╔══════════════════════════════════════════╗
║ 🔍 FILE INTEGRITY MONITOR ║
║ SHA-256 Baseline + Live Watchdog ║
╚══════════════════════════════════════════╝
[1] Create baseline snapshot
[2] Run integrity scan
[3] Start live real-time monitor
[4] View saved baseline info
[0] Exit
══════════════════════════════════════════════════════════════
FILE INTEGRITY REPORT
Directory : C:\Users\user\Documents\secure-folder
Scanned : 2025-01-01 14:32:11
══════════════════════════════════════════════════════════════
[+] ADDED FILES (1):
+ reports\new_report.pdf
Size: 204,800 bytes | Time: 2025-01-01 14:30:00
[-] DELETED FILES (1):
- config\settings.cfg
Was: 1,024 bytes | Last seen: 2024-12-30 10:00:00
[~] MODIFIED FILES (1):
~ passwords\vault.txt
Old hash : a3f1c2d4e5b6...
New hash : 9f8e7d6c5b4a...
⚠ ALERT: Changes detected that may indicate tampering!
🚀 Features
- ✅ SHA-256 baseline — fingerprints every file in a directory
- ✅ 3-type change detection — Added, Deleted, Modified
- ✅ Live real-time monitor — instant alerts using
watchdog - ✅ Baseline persistence — saves snapshots as JSON for later comparison
- ✅ Memory-efficient — reads files in 8KB chunks (handles large files)
- ✅ Recursive scanning — catches changes in all subdirectories
- ✅ Security alerts — warns when sensitive-looking files are modified
⚙️ Installation & Usage
Requirements
- Python 3.8+
Install dependency
pip install watchdog
Run it
git clone https://github.com/yourusername/file-integrity-monitor.git
cd file-integrity-monitor
python file_integrity_monitor.py
🔬 How It Works
Step 1 — Create Baseline
Walk directory → Hash every file with SHA-256 → Save to JSON
Step 2 — Scan for Changes
Walk directory again → Hash every file again
Compare new hashes vs baseline:
New file? → ADDED
Hash changed? → MODIFIED
File missing? → DELETED
Step 3 — Live Monitor (optional)
watchdog library watches filesystem events in real time
→ Prints instant alert when any file changes
Why SHA-256?
Original file : SHA-256 = a3f1c2d4e5b6...
Change 1 byte : SHA-256 = 9f8e7d6c5b4a... ← Completely different!
SHA-256 is a one-way cryptographic function. Even a single character change produces a totally different hash — making tampering immediately detectable.
🏢 Real-World Equivalents
| Tool | Used By |
|---|---|
| Tripwire | Enterprise servers |
| AIDE | Linux systems |
| Windows File Integrity Monitoring | Azure Defender |
| This project | You! |
📁 Project Structure
file-integrity-monitor/
│
├── file_integrity_monitor.py # Main script
├── fim_baseline.json # Auto-generated baseline (after first run)
└── README.md # This file
🧠 What I Learned
- How SHA-256 hashing works and why it detects file tampering
- What a baseline is and how enterprise IDS tools use it
- Python's
hashlibmodule for cryptographic hashing - Reading files in chunks for memory-efficient processing
- Real-time filesystem monitoring using the
watchdoglibrary - How
os.walk()recursively traverses directories
⚠️ Disclaimer
This tool is for educational and defensive use only. Use it to monitor directories you own or have permission to monitor.
📄 License
MIT — free to use, modify, and distribute.
Log in or sign up for Devpost to join the conversation.