Interpreting Binary Data

Slides:



Advertisements
Similar presentations
Information Representation
Advertisements

The Binary Numbering Systems
CSCI 3 Chapter 1.8 Data Compression. Chapter 1.8 Data Compression  For the purpose of storing or transferring data, it is often helpful to reduce the.
Connecting with Computer Science, 2e
Computer Science 335 Data Compression.
15 September How Computers Work: Other Forms of Data.
1 A Balanced Introduction to Computer Science, 2/E David Reed, Creighton University ©2008 Pearson Prentice Hall ISBN Chapter 12 Data.
Management Information Systems Lection 06 Archiving information CLARK UNIVERSITY College of Professional and Continuing Education (COPACE)
Connecting with Computer Science 2 Objectives Learn why numbering systems are important to understand Refresh your knowledge of powers of numbers Learn.
©Brooks/Cole, 2003 Chapter 2 Data Representation.
Internet Skills An Introduction to HTML Alan Noble Room 504 Tel: (44562 internal)
Computer System Basics 1 Number Systems & Text Representation Computer Forensics BACS 371.
Chapter 1 Data Storage(2) Yonsei University 1 st Semester, 2014 Sanghyun Park.
Chapter 2 Computer Hardware
Data Representation CS280 – 09/13/05. Binary (from a Hacker’s dictionary) A base-2 numbering system with only two digits, 0 and 1, which is perfectly.
Chapter Three The UNIX Editors. 2 Lesson A The vi Editor.
Data Representation and Storage Lecture 5. Representations A number value can be represented in many ways: 5 Five V IIIII Cinq Hold up my hand.
1 i206: Lecture 2: Computer Architecture, Binary Encodings, and Data Representation Marti Hearst Spring 2012.
Investigation of a USB Storage Device (FAT16)
Computer System Basics 1 Number Systems & Text Representation Computer Forensics BACS 371.
Addressing Image Compression Techniques on current Internet Technologies By: Eduardo J. Moreira & Onyeka Ezenwoye CIS-6931 Term Paper.
Chapter 1 Data Storage © 2007 Pearson Addison-Wesley. All rights reserved.
Marr CollegeHigher ComputingSlide 1 Higher Computing: COMPUTER SYSTEMS Part 1: Data Representation – 6 hours.
Quiz # 1 Chapters 1,2, & 3.
Data Representation Robin Burke IT 130. Outline Data Representation Binary Numbers Image types.
Files Chapter 4.
1 Problem Solving using Computers “Data....Representation, and Storage.
Software Design and Development Storing Data Part 2 Text, sound and video Computing Science.
 Computers are 2-state devices › Pulse – No pulse › On – Off  Represented by › 1 – 0  BINARY.
Chapter 3: Mastering Editors Chapter 3 Mastering Editors (Emacs)
N5 Databases Notes Information Systems Design & Development: Structures and links.
Chapter 1: Data Storage.
AP CSP: Pixelation – B&W/Color Images
Day 6 - Encoding and Sending Formatted Text
Computer Science: An Overview Eleventh Edition
Data Representation.
Storing Graphics Nat 5 Data Representation Lesson 4a: Storing Graphics
3.3 Fundamentals of data representation
GCSE COMPUTER SCIENCE Topic 3 - Data 3.2 Data Representation.
Vocabulary byte - The technical term for 8 bits of data.
Chapter 8 & 11: Representing Information Digitally
Data Representation.
NUMBER SYSTEMS.
Computer Systems Nat 4/5 Data Representation Lesson 4:
CHP - 9 File Structures.
3.3 Fundamentals of data representation
Day 6 - Encoding and Sending Formatted Text
3.1 Denary, Binary and Hexadecimal Number Systems
Standard Data Encoding
Bits & Bytes How Computers Represent Data
BTEC NCF Dip in Comp - Unit 02 Fundamentals of Computer Systems Lesson 10 - Text & Image Representation Mr C Johnston.
Presenter Name: Mahmood A.Moneim Supervised By: Prof. Hesham A.Hefny
Net 323 D: Networks Protocols
Vocabulary byte - The technical term for 8 bits of data.
Representing Information as bit patterns
Look at Me Mod 4 Lesson 3 Graphics Module 4- Build a Game.
FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device.
ELECTRONIC MAIL SECURITY
Pixels.
Topics Introduction Hardware and Software How Computers Store Data
ELECTRONIC MAIL SECURITY
Net 323 D: Networks Protocols
Fundamentals of Data Representation
Chapter 2 Data Representation.
Why use Binary? It is a two state system (on/off) which makes it simple to operate Even if degradation of current occurs (ie a slight drop in voltage)
Day 6 - Encoding and Sending Formatted Text
Huffman Encoding.
Chapter 8 – Compression Aims: Outline the objectives of compression.
Networks & I/O Devices July 10, 2019.
Presentation transcript:

Interpreting Binary Data Computer Crime Interpreting Binary Data

Interpreting Binary Data The Easy Stuff First The ‘Feel’ of the Data Data Profiles File Signatures

The Easy Stuff Pattern Matching Regardless of the meaning of the information sought, all digital information is simply a pattern of bits. By identifying the presence of the unique pattern of bits that corresponds to that decoded data, we can match the evidence drive with the illicit information.

The Easy Stuff Simple Searches Finding matches to known pattern, whether they form: the first portion of a child pornography specimen (a picture previously known to law enforcement) or the name and social security number of an identity theft victim.

The Easy Stuff The user has to interpret the binary data too. It is unlikely that the user will obscure the format in more than the most minimal way. File extensions usually indicate the contents of the file. If they do not, there are other methods to determine a file type (discussed later). The surrounding files or directory structure may give a clue as to the file’s contents.

The Easy Stuff What is USSCole ?

The ‘Feel’ of the Data The is almost always a text editor handy. Some details help may be available by simply looking at the file with a text editor. If the file contains text, it will be readily apparent. Even executable files (program files) often contain text to issue errors or prompts to the user. If nothing else, learn how to use ‘vi,’ a UNIX text editor.

The ‘Feel’ of the Data What is USSCole.txt ?

The ‘Feel’ of the Data Even without any text, certain consistent patterns in the file header may be recognizable. In this case, “ÿØÿà JFIF” identifies this file as a jpeg.

The ‘Feel’ of the Data Illustration

Data Profiles Using a commonly available tool called a hex editor, it is possible to examine the byte structure of a file. This technique can be especially useful when only fragements of a file can be recover (e.g. from slack space). WinHex is a full featured hex editor with a graphing feature that allows the user to generate a histogram of the frequency of byte patterns found in a file.

Data Profiles There are 256 possible byte patterns 1 byte = 8 bits 28 = 256 The histogram contains 256 lines (if each byte is present). The line on the far right, represents a null byte (00xh), blank, or white in an RGB encoded graphic. The line on the far left represents a full byte (ffxh), the “ÿ” character, or black in an RGB encoded graphic.

Data Profiles 00xh Most Common Byte (2.82%) Example FFxh

Data Profiles Illustration The original file is a true color bit map image. It is 235KB. It is 320 x 238 pixels. Illustration

Data Profiles 00xh FFxh Example

Data Profiles Illustration The original file is a true color bit map image. It is 80KB. It is 321 x 249 pixels. Illustration Notice the color blocking as fewer colors are available for transitions.

Data Profiles Example 00xh FFxh Compressed data distributes relatively evenly across all byte values.

Data Profiles The original file is a “zipped” (compressed) file. Compression works by calculating new coding for frequently occurring patterns. The better the compression, the more homogenous the file. Compression also obscures bit patterns (possibly confusing simple searches). Most forensic packages can deal with compressed files. The file is called “sniffer.zip” The file is 2,108 KB

Data Profiles 00xh Example FFxh

Data Profiles The original file is an executable file (a program). There are no zero occurrence bytes. The profile is unevenly distributed, but the spikes will be different for different executables. This file is part of the contents of the zipped file examined earlier. The original file is called Analyzer.exe The original file is 1,304 KB

Data Profiles JPG is a compressed format. Byte-patterns are wide-spread and have a cyclic pattern. 00xh Example

Data Profiles Illustration

Data Profiles JPEG images are compressed and show a wide distribution of byte values. The abundance of null values and large spikes (relative to non-image compression formats) mark jpeg and related image formats. Example

Data Profiles The original file is a JPEG It is 14,369 KB. This satellite photo of the WTC site was released by the National Reconnaissance Office.

Data Profiles Example

Data Profiles Example

Data Profiles The original files are MP3 encoded songs. (Each was legally obtained.) Like other compressed formats, the distribution is relatively even; however, single-byte “spikes” representing control elements of the MP3 can be seen. Distribution differs with the type of music encoded.

Data Profiles Individual byte values in text files each represent a letter, number, or punctuation mark. The space character will typically be the most common. The lowercase “e” will also be common. Example

Data Profiles This is the same text file as the previous example. It is encoded in Unicode. English text does not use the expanded capacities of Unicode so the most common byte value is the blank (unused) byte that follows each information byte. In this case, the blank byte accounts for 49.85% of the file. Example

Data Profiles Example Lowercase “a” “z” Space “e” “t” Uppercase “A” “Z”

Data Profiles The original file is a flat, text file called Digital Crime, Digital Terrorism, encoded in the American National Standards Institute (ANSI) standard (an ASCII superset). It contains three chapters from my book.

Data Profiles Example

Data Profiles Example

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.