When you’re downloading a file off of the internet, like an installer for a program or even a full disc image for a version of Linux or Windows, it can be hard to know if the file is trustworthy, or if it may have been modified to contain a virus. So how do you know if something is safe to use?
The best method is by using a “checksum” or a file-hash. These are often long strings of letters and numbers and are almost always provided by the site you’re downloading from. It’s like a fingerprint, unique to that file – which means if the version number of the program has changed, you can bet that the checksum has, too! So here’s a great little tutorial for learning how to use checksums.
1. Let’s say you want to download Windows 7 Pro, with SP1, 64-bit, English US! You hunt across the internet, then find a download and a “checksum” for the file you’re downloading. Again, it’s usually in MD5 or SHA-1 format, hopefully from a source you trust. For example, this page (https://forums.whirlpool.net.au/archive/1755258) lists checksums for “en_windows_7_professional_with_sp1_x64_dvd_u_676939.iso” as 0BCFC54019EA175B1EE51F6D2B207A3D14DD2B58 — but if I don’t know who “whirlpool.net.au” is, or if I don’t trust the forum user who posted it there, then what do I do?
2. Google that checksum to see if multiple sources confirm it’s validity (this forum post confirms the same checksum number for the same file name): https://answers.microsoft.com/en-us/windows/forum/all/download-a-legitimate-copy-of-windows-7-pro-64/2d7e45a4-a2d1-4410-895b-6387d036de13
3. Search for the same checksum on Archive.org – a good download will usually post their checksums in the description. I found this link: https://archive.org/details/Windows_7_Professional_SP1_x64.iso
4. AFTER you download the file, don’t take their word for it, you can “checksum” the ISO file yourself using a free tool like Hash Checker, available for free in the Windows store. Compare the MD5 or the SHA-1 hash that the program finds on the file you downloaded with the “cross-referenced” sources from steps 1 & 2 and viola! You’ve got a fool proof method for making sure you’re downloading safe, legitimate ISO files! If the hash doesn’t match, it means the file you’ve downloaded has been tampered with in some way and you should probably download a different one.
If you really want to feel like a wizard, you can check the checksum without downloading any third-party tools, using PowerShell!