Bits, Bytes and Binary Representation

Questions and Answers

Which numbering system is classified as base 2?

• Binary (correct)
• Decimal
• Hexadecimal
• Octal

In the ASCII character set, 01000001 represents a lowercase 'a'.

False (B)

What base is the hexadecimal numbering system?

16

The process of examining data at the 'bit' and 'byte' level to extract and interpret evidence is called ______.

file carving

Which of the following is the most reliable to identify file type?

File Signature (C)

Changing a file extension guarantees the concealment of the original data within the file.

False (B)

What term is used to describe the headers that forensic tools use to identify files?

file signatures

Data is generally created in three ways: electromagnetism, microscopic electrical transistors (flash), and ______.

reflecting light

Which data storage method is typically used for temporary data that the computer is actively using?

RAM (B)

Data in RAM persists even after power is removed from the computer.

False (B)

What type of memory is used for long-term data storage, even when the computer is powered off?

non-volatile

Traditional forensics primarily focuses on ______ memory because data persists even after the power is off.

non-volatile

Which type of computer environment is described as being NOT connected to another computer, making it easier to investigate but increasingly rare?

Stand-alone computer (B)

In cloud computing, the location of data is always known and remains within the same jurisdiction.

False (B)

In cloud computing, what term describes the situation where data can be located in different states or countries, making legal processes complex?

jurisdictional nightmare

Everyday files that are visible in a file browser are known as ______ data.

active

What type of data is no longer available by the operating system and requires forensic analysis to recover?

Latent data (B)

Archival data can always be easily accessed, regardless of the hardware or software used to create the backup.

False (B)

What is the name of the file system responsible for tracking a drive's free space and the location of each file?

file system

The file system used in Microsoft XP and later that automatically recovers some disk errors and supports larger hard drives is ______.

NTFS

Which part of the FAT file system contains information the system uses to access the volume?

Boot Record (A)

The FAT file system tracks only allocated clusters on the disk.

False (B)

What is the term for a corrupted part of memory or storage disk within the FAT file system?

bad sector

In hard drives, the file system categorizes space as either allocated or ______.

unallocated

What is the difference called between the space that is assigned to a file and the amount of space that file actually uses?

slack space (D)

Flashcards

What is Binary?

A base 2 numbering system utilized by computers, consisting of 1s and 0s.

What is Decimal?

A base 10 numeral system, the common numbering system used in everyday life.

What is a Byte?

A collection of 8 bits, used to represent letters and numbers.

What is ASCII?

A standard for representing characters using bytes, where each character (letter, number, symbol) is assigned a unique numerical value.

What is Hexadecimal?

A base-16 numbering system used to represent binary data in a more human-readable format.

What is File Carving?

The process of extracting data from a larger file or storage medium, even if the file system metadata is damaged or missing.

What are File Extensions?

Suffixes added to the end of a computer file name, indicating its format. Can be unreliable for file identification.

What are File Signatures?

Headers within a file that identify the file type, used by forensic tools for file identification.

What is Extension Spoofing?

The process of changing a file extension to conceal data.

What is Volatile Memory?

Data storage dependent on electric power; data is lost when power is removed (e.g., RAM).

What is Non-Volatile Memory?

Data storage that persists even when power is removed (e.g., hard drives, flash drives).

What is a Stand-alone Computer?

Computer not connected to any network. Becoming rare.

What are Networked Computers?

Environment where computers are connected to one or more other computers, increasing complexity in investigations.

What are Mainframe Computers?

Systems that centralize computing power in one location, typically customized for specific functions in large organizations.

What is Cloud Computing?

Delivery of computing services—including servers, storage, databases, networking, software, analytics, and intelligence—over the Internet

What is IaaS?

Organizations outsource their hardware needs to a service provider, obtaining servers and storage as needed.

What is PaaS?

Allows customers to rent virtualized servers and associated services used to run existing applications, or to design, develop, test, deploy, and host applications.

What is SaaS?

Applications provided on demand to customers over the Internet and maintained by the service provider.

What is Active Data?

Files used daily on computers and are plainly visible.

What is Latent Data?

Data that has been deleted or partially overwritten.

What is Archival Data?

Backup/archives of active data. Hard to access.

What is a File System?

Responsible for tracking a drive and the location of the data.

What is FAT?

An older file system found in flash media.

What is NTFS?

The file system used in windows xp or later editions.

What is HFS+?

File system used in Apple products. Used in macs.

Study Notes

Bits, Bytes, and Numbering Schemes

• To computers, communication happens with 1s and 0s
• Binary is a base 2 numbering system unlike decimal which is base 10
• Computers operate with collections of bits called Bytes

Representing data using bytes

• Letters and numbers are represented using bytes based on the ASCII standards
• For example, 01000001 represents an uppercase "A", and 01100001 is a lowercase "a"

Experiment: Examining text in binary format

• Open a text document.
• Input "Khalifa University of Science and Technology".
• Count the letters and spaces.
• Save the file
• Measure the file size.
• Represent the text in binary: 01001011 01101000 01100001 01101100 01101001 01100110 01100001 00100000 01010101 01101110 01101001 01110110 01100101 01110010 01110011 01101001 01110100 01111001 00100000 01101111 01100110 00100000 01010011 01100011 01101001 01100101 01101110 01100011 01100101 00100000 01100001 01101110 01100100 00100000 01010100 01100101 01100011 01101000 01101110 01101111 01101100 01101111 01100111 01111001

Hexadecimal representation

• Hexadecimal is base 16 and provides a shorter representation than binary.

Using a hex editor

• A hex editor can be used to view computer files, enabling direct examination of binary data.

Significance for digital forensics

• Examiners must look at the data at the "bit" and "byte” level to find, extract, and interpret the evidence in many instances
• This is evident in file carving
• Hex knowledge makes binary and hex interpretation possible, which is useful for fragmented file recovery.

File Extensions and File Signatures

• Files are strings or sequences of bits and bytes
• Files types are usually identified using the file extension
• File extension isn't the most reliable way to identify file type
• It's sometimes changed to conceal data

Forensic identification using file signatures

• Forensic tools identify files by their headers also known as file signatures
• Experiment with changing a file extension and checking the hex value

Storage and Memory

• Data storage happens in three ways: electromagnetism, flash transistors, and reflecting light
• Some storage are used only to temporarily hold data the computer relies on during run time (short term), where as other forms of storage like hardrives are designed for long term use

Magnetic Disks and Flash Memory

• Data is stored on magnetic disks and flash memory

Optical Storage

• Optical disks are made of a polycarbonate base, which are covered by a thin layer of aluminum
• For protective purposes, another layer of clear acrylic material is added
• The surface is embossed with small bumps along a single spiral track.
• A focused beam of light reads the bumps and lands as binary
• CDs, Laser Discs, DVDs, HD-DVD, and Blu-ray, are examples of optical storage media

Volatile and Non-volatile Memory

• Memory is used to describe any location where data is kept short-term, while storage is more permanent.
• Volatile memory like RAM, is lost when power is removed
• Non-volatile memory is permanent, like files stored in the hardrive
• Traditional forensics focuses on non-volatile memory, but some communication apps can be also stored on a hardrive
• Cryptographic can be also stored only in the RAM

Experiment

• The extension of the volatile memory file can be extracted from he Task Manager

Computing Environments

• There are several different types of computer environments, and each brings with different challenges for digital forensics
• The categories are: stand-alone, networked, mainframe, and the cloud

Types of Computing Environments

• Stand-alone computers are not connected to other computers, are the easiest to investigate, but are becoming rare
• Networked computers can be difficult due to files and artifacts are spread across machines
• Mainframe systems centralize computing power, are only found in large organizations, and are customized

Cloud Computing

• Cloud computing involves software, infrastructure, and platforms on a subscription basis
• IaaS outsources hardware needs to a service provider.
• PaaS provides virtualized servers and resources for app development.
• SaaS delivers on-demand software applications; with hosting and maintenance managed by the service provider

Forensic Challenges in the Cloud

• The cloud presents technical challenges due to virtualization and routine forensic procedures
• The cloud presents a legal challenge because data is not limited by jurisdiction

Data Types

• Data is lumped into 3 categories: active, latent, and archival.
• Looking at data this way, clarifies location, file system accounting, and user access.
• It also can narrow down the cost and effort required to recover the data in question.

Types of data by recoverability and visibility

• Active Data: Everyday, accessible files
• Latent Data: Deleted or partially overwritten data that requires forensic analysis for recovery
• Archival Data: Backups which may be more difficult to access

File Systems

• The file system tracks drive space and location of each file
• The free space may be empty or contain previously deleted file content

Common File Systems

• File Allocation Table (FAT) is an Older file system found in flash media including FAT12, FAT16, FAT32, and FATX
• New Technology File System (NTFS) is used in Microsoft XP and later
• It can recover disk errors and supports larger drives
• Hierarchical File System (HFS+) is used in Apple products with cross-platform compatibility
• Linux uses ext3 and ext4 as journaling file systems

File Systems - FAT

• A hard Disk is divided into two areas: System Area and Data Areas
• System Area contains:
• Boot Record (Contains information the file system uses to access the volume)
• FATS (Tracking of the status of clusters on the disk): Allocated or unallocated, and the end of files, including bad sectors
• Root Directory is the file name, starting cluster number, and file size
• User Data contains:
• User data

Comparing FAT32 and NTFS File Systems

• FAT32 is older but NTFS is used today because it has:
• A larger maximum partition size
• A larger file size
• Supports encryption
• Has auto Repair
• Has local and network security protection

Allocated and Unallocated Space

• File systems categorize all hard drive space as either allocated or unallocated.
• Unallocated space is "free space" that the OS can write to.
• Slack Space is the difference between assigned and used space.

Understanding Slack Space

• File1.doc is stored at a Cluster and is deleted, and the data area gets unallocated
• File2.doc is saved over File1.doc, and the system zeros out reminder of sector
• The remaining Slack Space is remaining parts from File1.doc

Extracting an Image

• JPEG files start with header FFD8FFEO, and end with trailer FFD9
• Tools for this include FTK Imager and HxD - Hexediter