Download presentation
Presentation is loading. Please wait.
1
Interpreting Binary Data
Computer Crime Interpreting Binary Data
2
Interpreting Binary Data
The Easy Stuff First The ‘Feel’ of the Data Data Profiles File Signatures
3
The Easy Stuff Pattern Matching
Regardless of the meaning of the information sought, all digital information is simply a pattern of bits. By identifying the presence of the unique pattern of bits that corresponds to that decoded data, we can match the evidence drive with the illicit information.
4
The Easy Stuff Simple Searches
Finding matches to known pattern, whether they form: the first portion of a child pornography specimen (a picture previously known to law enforcement) or the name and social security number of an identity theft victim.
5
The Easy Stuff The user has to interpret the binary data too. It is unlikely that the user will obscure the format in more than the most minimal way. File extensions usually indicate the contents of the file. If they do not, there are other methods to determine a file type (discussed later). The surrounding files or directory structure may give a clue as to the file’s contents.
6
The Easy Stuff What is USSCole ?
7
The ‘Feel’ of the Data The is almost always a text editor handy.
Some details help may be available by simply looking at the file with a text editor. If the file contains text, it will be readily apparent. Even executable files (program files) often contain text to issue errors or prompts to the user. If nothing else, learn how to use ‘vi,’ a UNIX text editor.
8
The ‘Feel’ of the Data What is USSCole.txt ?
9
The ‘Feel’ of the Data Even without any text, certain consistent patterns in the file header may be recognizable. In this case, “ÿØÿà JFIF” identifies this file as a jpeg.
10
The ‘Feel’ of the Data Illustration
11
Data Profiles Using a commonly available tool called a hex editor, it is possible to examine the byte structure of a file. This technique can be especially useful when only fragements of a file can be recover (e.g. from slack space). WinHex is a full featured hex editor with a graphing feature that allows the user to generate a histogram of the frequency of byte patterns found in a file.
12
Data Profiles There are 256 possible byte patterns
1 byte = 8 bits 28 = 256 The histogram contains 256 lines (if each byte is present). The line on the far right, represents a null byte (00xh), blank, or white in an RGB encoded graphic. The line on the far left represents a full byte (ffxh), the “ÿ” character, or black in an RGB encoded graphic.
13
Data Profiles 00xh Most Common Byte (2.82%) Example FFxh
14
Data Profiles Illustration
The original file is a true color bit map image. It is 235KB. It is 320 x 238 pixels. Illustration
15
Data Profiles 00xh FFxh Example
16
Data Profiles Illustration
The original file is a true color bit map image. It is 80KB. It is 321 x 249 pixels. Illustration Notice the color blocking as fewer colors are available for transitions.
17
Data Profiles Example 00xh FFxh
Compressed data distributes relatively evenly across all byte values.
18
Data Profiles The original file is a “zipped” (compressed) file.
Compression works by calculating new coding for frequently occurring patterns. The better the compression, the more homogenous the file. Compression also obscures bit patterns (possibly confusing simple searches). Most forensic packages can deal with compressed files. The file is called “sniffer.zip” The file is 2,108 KB
19
Data Profiles 00xh Example FFxh
20
Data Profiles The original file is an executable file (a program).
There are no zero occurrence bytes. The profile is unevenly distributed, but the spikes will be different for different executables. This file is part of the contents of the zipped file examined earlier. The original file is called Analyzer.exe The original file is 1,304 KB
21
Data Profiles JPG is a compressed format. Byte-patterns are wide-spread and have a cyclic pattern. 00xh Example
22
Data Profiles Illustration
23
Data Profiles JPEG images are compressed and show a wide distribution of byte values. The abundance of null values and large spikes (relative to non-image compression formats) mark jpeg and related image formats. Example
24
Data Profiles The original file is a JPEG It is 14,369 KB.
This satellite photo of the WTC site was released by the National Reconnaissance Office.
25
Data Profiles Example
26
Data Profiles Example
27
Data Profiles The original files are MP3 encoded songs. (Each was legally obtained.) Like other compressed formats, the distribution is relatively even; however, single-byte “spikes” representing control elements of the MP3 can be seen. Distribution differs with the type of music encoded.
28
Data Profiles Individual byte values in text files each represent a letter, number, or punctuation mark. The space character will typically be the most common. The lowercase “e” will also be common. Example
29
Data Profiles This is the same text file as the previous example. It is encoded in Unicode. English text does not use the expanded capacities of Unicode so the most common byte value is the blank (unused) byte that follows each information byte. In this case, the blank byte accounts for 49.85% of the file. Example
30
Data Profiles Example Lowercase “a” “z” Space “e” “t”
Uppercase “A” “Z”
31
Data Profiles The original file is a flat, text file called Digital Crime, Digital Terrorism, encoded in the American National Standards Institute (ANSI) standard (an ASCII superset). It contains three chapters from my book.
32
Data Profiles Example
33
Data Profiles Example
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.