Transcript Computer Forensics BACS 371

Computer Forensics
BACS 371
Computer System Basics 1
Number Systems & Text Representation
Computer System Basics

Number Systems
 Decimal
(base 10)
 Binary (base 2)
 Octal (base 8)
 Hexadecimal (base 16)
 Conversions
 Little Endian vs. Big Endian

Text Representation
 ASCII
 EBCDIC
 Unicode
Number Systems
Decimal – base 10
 Binary – base 2
 Octal – base 8
 Hexadecimal – base 16

Decimal Number System

Base 10
Uses digits 0~9
 Based on powers of 10

105
104
100,000 10,000
3
2
103
102
101
100
1000
100
10
1
7
3 * 105 = 300,000
2 * 104 = 20,000
7 * 103 = 7,000
1 * 102 = 100
9 * 101 = 90
4 * 100 = 4
------------------------------TOTAL = 327,194
1
9
4
Binary Number System
Base 10
Base 2

Uses digits 0~1
 Based on powers of 2

25
24
23
22
21
20
32
16
8
4
2
1
1
1
0
1
1 * 25 = 32
1 * 24 = 16
0 * 23 = 0
1 * 22 = 4
0 * 21 = 0
1 * 20 = 1
------------------------------1101012 = 5310
0 1
Base 2
0
0
1
1
2
10
3
11
4
100
5
101
6
110
7
111
8
1000
9
1001
10
1010
11
1011
12
1100
13
1101
14
1110
15
1111
Octal Number System

Base 8
Base 10
Uses digits 0~7
 Based on powers of 8

84
83
82
81
80
4096
512
64
8
1
0
2
7
7 * 84 = 28,672
0 * 83 = 0
2 * 82 = 128
6 * 81 = 48
5 * 80 = 5
------------------------------702658 = 28,85310
6 5
Base 8
0
0
1
1
2
2
3
3
4
4
5
5
6
6
7
7
8
10
9
11
10
12
11
13
12
14
13
15
14
16
15
17
Hexadecimal Number System

Base 16
Base 10
Uses digits 0~9 and A, B, C, D, E, F
 Based on powers of 16

165
164
1,048,576
3
163
162
161 160
65,536 4096 256 16
F
7
A
3 * 165 = 3,145,728
F * 164 = 983,040
7 * 163 = 28,672
A * 162 = 2560
0 * 161 = 0
E * 160 = 14
------------------------------3F7A0E16 = 10,451,47010
0
1
E
Base 16
0
0
1
1
2
2
3
3
4
4
5
5
6
6
7
7
8
8
9
9
10
A
11
B
12
C
13
D
14
E
15
F
Number System Comparison
Decimal
Binary
Octal
Hexadecimal
0
0
0
0
1
1
1
1
2
10
2
2
3
11
3
3
4
100
4
4
5
101
5
5
6
110
6
6
7
111
7
7
8
1000
10
8
9
1001
11
9
10
1010
12
A
11
1011
13
B
12
1100
14
C
13
1101
15
D
14
1110
16
E
15
1111
17
F
Number System Representations

Binary
01001101b
 010011012


Octal
115o – note: trailing charter is a lowercase ‘oh’
 1158


Hexadecimal
0x4D -- note: leading character is a zero
 4Dh
 4D16

Little Endian vs. Big Endian
http://www.noveltheory.com/TechPapers/endian.asp
Please read this.
Deals with the order that bytes are stored in Intel-based versus
non Intel-based computers.




Intel-based are normally PC-type computers
Non Intel-based are normally mainframe computers
Little Endian – stored left-to-right (Intel-based)
Big Endian – stored right-to-left (mainframe)
Text Representations
Text values stored in a computer can be in
several formats
 ASCII
 EBCDIC
 Unicode (various types)

By far, the most common is ASCII
ASCII






ASCII, pronounced "ask-key", is the common code for microcomputer
equipment
American Standard Code for Information Interchange
Proposed by ANSI in 1963, and finalized in 1968
The standard ASCII character set consists of 128 decimal numbers
ranging from zero through 127 assigned to letters, numbers,
punctuation marks, and the most common special characters
The first 32 codes are reserved for “non-printing” or “control”
characters – supported original teletype systems
The Extended ASCII Character Set also consists of 128 decimal
numbers and ranges from 128 through 255 representing additional
special, mathematical, graphic, and foreign characters
ASCII Table
Extended ASCII Table
Text <-> Binary Converters


http://students.washington.edu/cwei/t
ools/binary.shtml
http://www.sitinthecorner.com/binary/
binary.php
TEXT
Hello World
BINARY
01001000 01100101 01101100 01101100
01101111 00100000 01010111 01101111
01110010 01101100 01100100
Hex
48 65 6C 6C 6F 20 57 6F 72 6C 64
Text Binary Octal Hex
H
e
l
l
o
01001000
110
48
01100101
145
65
01101100
154
6C
01101100
154
6C
01101111
157
6F
00100000
040
20
WinHex View
EBCDIC




Extended Binary Code Decimal Interchange
Code
Originally used by IBM-based mainframes
Totally different encoding scheme from ASCII
and Unicode
Still used, but not as prevalent as in the past
Unicode
Character coding standard used in NTFS
 “Unicode provides a unique number for every
character, no matter what the platform, no
matter what the program, no matter what the
language.” http://www.unicode.org
 Three varieties of Unicode Transformation
Format

 UTF-8
– identical to ASCII for western languages
 UTF-16 – 16-bits per character
 UTF-32 – 32-bits per character
Why do we care?



As a forensic analyst, you will be working with
different number systems and encoding schemes.
You need to understand the conversion process
between the different number systems and, if
necessary, perform them by hand.
You also need to understand hexadecimal and
ASCII well enough to be able to interpret “hex
dumps.”
But wait…. There’s more!



All the encoding schemes covered only apply to
“text” data.
There are different encoding methods for other
types of digital evidence (e.g., numbers, dates,
times, executable programs, …).
The computer stores everything as 1’s and 0’s and
the way you (and the computer) interpret groups of
bits depends upon the context.