Computer System Basics 1 Number Systems & Text Representation

Computer ForensicsBACS 371

Computer System Basics Number Systems

Decimal (base 10) Binary (base 2) Octal (base 8) Hexadecimal (base 16) Conversions Little Endian vs. Big Endian

Text Representation ASCII EBCDIC Unicode

Number Systems Decimal – base 10 Binary – base 2 Octal – base 8 Hexadecimal – base 16

Decimal Number System Base 10

Uses digits 0~9 Based on powers of 10

105 104 103 102 101 100

100,000 10,000 1000 100 10 1

3 2 7 1 9 43 * 105 = 300,0002 * 104 = 20,0007 * 103 = 7,0001 * 102 = 1009 * 101 = 904 * 100 = 4-------------------------------TOTAL = 327,194

Binary Number System Base 2

Uses digits 0~1 Based on powers of 2

25 24 23 22 21 20

32 16 8 4 2 1

1 1 0 1 0 11 * 25 = 321 * 24 = 160 * 23 = 01 * 22 = 40 * 21 = 01 * 20 = 1-------------------------------1101012 = 5310

Base 10 Base 20 01 12 103 114 1005 1016 1107 1118 10009 1001

10 101011 101112 110013 110114 111015 1111

Octal Number System Base 8

Uses digits 0~7 Based on powers of 8

84 83 82 81 80

4096 512 64 8 1

7 0 2 6 57 * 84 = 28,6720 * 83 = 02 * 82 = 1286 * 81 = 485 * 80 = 5-------------------------------702658 = 28,85310

Base 10 Base 80 01 12 23 34 45 56 67 78 109 11

10 1211 1312 1413 1514 1615 17

Hexadecimal Number System Base 16

Uses digits 0~9 and A, B, C, D, E, F Based on powers of 16

165 164 163 162 161 160

1,048,576 65,536 4096 256 16 1

3 F 7 A 0 E3 * 165 = 3,145,728F * 164 = 983,0407 * 163 = 28,672A * 162 = 25600 * 161 = 0E * 160 = 14-------------------------------3F7A0E16 = 10,451,47010

Base 10 Base 160 01 12 23 34 45 56 67 78 89 9

10 A11 B12 C13 D14 E15 F

Number System ComparisonDecimal Binary Octal Hexadecimal

0 0 0 01 1 1 12 10 2 23 11 3 34 100 4 45 101 5 56 110 6 67 111 7 78 1000 10 89 1001 11 910 1010 12 A11 1011 13 B12 1100 14 C13 1101 15 D14 1110 16 E15 1111 17 F

Number System Representations Binary

01001101b 010011012

Octal 115o – note: trailing charter is a lowercase ‘oh’ 1158

Hexadecimal 0x4D -- note: leading character is a zero 4Dh 4D16

Little Endian vs. Big Endianhttp://www.noveltheory.com/TechPapers/endian.aspPlease read this.

Deals with the order that bytes are stored in Intel-based versus non Intel-based computers. Intel-based are normally PC-type computers Non Intel-based are normally mainframe computers Little Endian – stored left-to-right (Intel-based) Big Endian – stored right-to-left (mainframe)

Text Representations Text values stored in a computer

can be in several formats ASCII EBCDIC Unicode (various types)

By far, the most common is ASCII

ASCII ASCII, pronounced "ask-key", is the common code for

microcomputer equipment American Standard Code for Information Interchange Proposed by ANSI in 1963, and finalized in 1968 The standard ASCII character set consists of 128 decimal

numbers ranging from zero through 127 assigned to letters, numbers, punctuation marks, and the most common special characters

The first 32 codes are reserved for “non-printing” or “control” characters – supported original teletype systems

The Extended ASCII Character Set also consists of 128 decimal numbers and ranges from 128 through 255 representing additional special, mathematical, graphic, and foreign characters

ASCII Table

Extended ASCII Table

Text <-> Binary Converters http://students.washington.ed

u/cwei/tools/binary.shtml http://www.sitinthecorner.com/

binary/binary.php

TEXTHello World

BINARY01001000 01100101 01101100 01101100 01101111 00100000 01010111 01101111 01110010 01101100 01100100

Hex48 65 6C 6C 6F 20 57 6F 72 6C 64

Text Binary Octal HexH 01001000 110 48

e 01100101 145 65

l 01101100 154 6C

l 01101100 154 6C

o 01101111 157 6F00100000 040 20

WinHex View

EBCDIC Extended Binary Code Decimal

Interchange Code Originally used by IBM-based

mainframes Totally different encoding scheme

from ASCII and Unicode Still used, but not as prevalent as in

the past

Unicode Character coding standard used in NTFS “Unicode provides a unique number for

every character, no matter what the platform, no matter what the program, no matter what the language.” http://www.unicode.org

Three varieties of Unicode Transformation Format UTF-8 – identical to ASCII for western

languages UTF-16 – 16-bits per character UTF-32 – 32-bits per character

Why do we care? As a forensic analyst, you will be working

with different number systems and encoding schemes.

You need to understand the conversion process between the different number systems and, if necessary, perform them by hand.

You also need to understand hexadecimal and ASCII well enough to be able to interpret “hex dumps.”

But wait…. There’s more! All the encoding schemes covered only

apply to “text” data. There are different encoding methods for

other types of digital evidence (e.g., numbers, dates, times, executable programs, …).

The computer stores everything as 1’s and 0’s and the way you (and the computer) interpret groups of bits depends upon the context.