Hochschule Darmstadt Department of Computer Science Master of Computer Science Harald Baier and Christian Maaser

WS 2010/2011 2010-10-18

Computer Forensics, Exercise 1

Exercise 1 (Foundations) For i N0 let bi denote the i-th byte in a byte string. You must not use technical support in this exercise, i.e. you are expected to nd the answers using paper and pencil. (a) You copy the bytes b100 b101 b1000 . How many bytes do you process? What is the answer in the general case bn bn+1 bm with n, m N0 , n m? (b) Let b0 = 11010011 be an unsigned integer. What is its decimal value? Write b0 in hexadecimal, too. (c) Write the decimal number 2010 in binary and hexadecimal. (d) What is the binary and decimal value of 0xAB12D, respectively? (e) What is hexadecimal encoding of the word Forensics, if ASCII is used? Exercise 2 (Big-endian vs. little-endian) In computer science you are often confronted with a dierent organisation of multi-byte values. Two common ways to order the bytes are big-endian (e.g. SUN Sparc, Apple) and little-endian (e.g. x86 systems). (a) Give a denition of both types of endianness. (b) An unsigned integer of length 4 bytes (e.g. the address of the rst sector of a partition) is stored within the bytes b2 b3 b4 b5 (remark: the rst byte is b0 ) of the following byte sequence: 01A3 B267 287C E632 What is the decimal value of the unsigned integer in big-endian and little-endian, respectively? Exercise 3 (Usage of dd) The tool dd is commonly used in forensics to get a 1-to-1 copy of a data structure (e.g. a whole HDD, a partition). Go through the manual of dd and nd the correct dd-syntax to solve the following tasks: (a) Copy the rst partition of a SCSI-device to the le image-sda1.dd in the current directory. (b) Copy the rst 1000 bytes of vorlesung_forensik_ws10-11_kap01_einfuehrung.pdf to the le lecture-start.dd. Use a hex dump viewer to show the correctness of your command. (c) Copy the nal 1024 bytes of vorlesung_forensik_ws10-11_kap01_einfuehrung.pdf to the le lecture-end.dd. Use a hex dump viewer to show the correctness of your command. (d) You have an image of a small partition denoted by image.dd. Its size is 100 MByte. You want to hide the le picture.jpg in the image, starting at oset 1 MByte of the image. The rest of the image remains unmodied.