This document contains instructions for three exercises related to computer forensics. Exercise 1 involves byte-level calculations and conversions between binary, decimal, and hexadecimal representations. Exercise 2 distinguishes between big-endian and little-endian ordering of bytes in multi-byte values. Exercise 3 provides tasks using the dd tool to copy portions of files and compute hash values.
This document contains instructions for three exercises related to computer forensics. Exercise 1 involves byte-level calculations and conversions between binary, decimal, and hexadecimal representations. Exercise 2 distinguishes between big-endian and little-endian ordering of bytes in multi-byte values. Exercise 3 provides tasks using the dd tool to copy portions of files and compute hash values.
This document contains instructions for three exercises related to computer forensics. Exercise 1 involves byte-level calculations and conversions between binary, decimal, and hexadecimal representations. Exercise 2 distinguishes between big-endian and little-endian ordering of bytes in multi-byte values. Exercise 3 provides tasks using the dd tool to copy portions of files and compute hash values.
This document contains instructions for three exercises related to computer forensics. Exercise 1 involves byte-level calculations and conversions between binary, decimal, and hexadecimal representations. Exercise 2 distinguishes between big-endian and little-endian ordering of bytes in multi-byte values. Exercise 3 provides tasks using the dd tool to copy portions of files and compute hash values.
Master of Computer Science Harald Baier, Frank Breitinger and Björn Roos
Computer Forensics, Exercise 1
Exercise 1 (Foundations)
For i ∈ N0 let Bi denote the i-th byte in a byte string. You must not use technical support in this exercise, i.e. you are expected to find the answers using paper and pencil. However, you may use an ASCII table.
(a) You copy the bytes B100 B101 · · · B1000 . How many bytes do you process? What is the answer in the general case Bn Bn+1 · · · Bm with n, m ∈ N0 , n ≤ m? (b) Let B0 = 11010011 be an unsigned integer. What is its decimal value? Write B0 in hexade- cimal, too. (c) Write the decimal number 2011 in binary and hexadecimal. (d) What is the binary representation of 0xAB12D? (e) What is the hexadecimal encoding of the word Forensics, if ASCII is used?
Exercise 2 (Big-endian vs. little-endian)
In computer science you are often confronted with a different organisation of multi-byte values. Two common ways to order the bytes are big-endian (e.g. SUN Sparc, Motorola PowerPC) and little-endian (e.g. Intel x86 systems).
(a) Give a definition of both types of endianness.
(b) An unsigned integer of length 4 bytes (e.g. the address of the first sector of a partition) is stored within the bytes B2 B3 B4 B5 (remark: the first byte is B0 ) of the following byte sequence:
01A3 B267 287C E632
What is the decimal value of the unsigned integer in big-endian and little-endian, respectively?
Exercise 3 (Usage of dd and hash values)
The tool dd is commonly used in forensics to get a 1-to-1 copy of a data structure (e.g. an HDD, a USB stick, an SD card, a partition). Go through the manual of dd and find the correct dd-syntax to solve the following tasks:
(a) Copy the first partition of the device /dev/sda to the file image-sda1.dd in the current directory.
(b) Copy the first 1000 bytes of vorlesung_forensik_ws11-12_kap00_inhalt.pdf to the file
lecture-start.dd. Use a hex dump viewer to show the correctness of your command. Additionally, compute the SHA-256 value of lecture-start.dd. (c) Copy the final 1024 bytes of vorlesung_forensik_ws11-12_kap00_inhalt.pdf to the file lecture-end.dd. Use a hex dump viewer to show the correctness of your command. Additionally, compute the SHA-256 value of lecture-end.dd. (d) You have an image of a small partition denoted by image.dd. Its size is 100 MiB. You want to hide the file picture.jpg in the image, starting at offset 1 MiB of the image. The rest of the partition image must remain unmodified. (e) Please enumerate conversion flags of dd, which are reasonable to be used within the securing phase of a forensic investigation. (f) An alternative to dd is the tool ddrescue. Which advantage of ddrescue compared to dd do you see? Please give the syntax of the ddresue command for part (a).
