FIM uses cryptographic hashes to detect unauthorized changes to critical files — OS binaries, config files, web pages. Alerts when hashes don't match baseline.
FIM detects rootkits, webshells, and configuration tampering. Tools: Tripwire, OSSEC, Windows File Resource Manager. PCI DSS requires FIM on cardholder data environment systems.