Hochschule Darmstadt WS 2011/2012

Department of Computer Science 2011-10-12

Master of Computer Science
Harald Baier, Frank Breitinger and Björn Roos

Computer Forensics, Exercise 1

Exercise 1 (Foundations)

For i ∈ N0 let Bi denote the i-th byte in a byte string. You must not use technical support in this
exercise, i.e. you are expected to find the answers using paper and pencil. However, you may use
an ASCII table.

(a) You copy the bytes B100 B101 · · · B1000 . How many bytes do you process? What is the answer
in the general case Bn Bn+1 · · · Bm with n, m ∈ N0 , n ≤ m?
(b) Let B0 = 11010011 be an unsigned integer. What is its decimal value? Write B0 in hexade-
cimal, too.
(c) Write the decimal number 2011 in binary and hexadecimal.
(d) What is the binary representation of 0xAB12D?
(e) What is the hexadecimal encoding of the word Forensics, if ASCII is used?

Exercise 2 (Big-endian vs. little-endian)

In computer science you are often confronted with a different organisation of multi-byte values.
Two common ways to order the bytes are big-endian (e.g. SUN Sparc, Motorola PowerPC) and
little-endian (e.g. Intel x86 systems).

(a) Give a definition of both types of endianness.

(b) An unsigned integer of length 4 bytes (e.g. the address of the first sector of a partition) is
stored within the bytes B2 B3 B4 B5 (remark: the first byte is B0 ) of the following byte
sequence:

01A3 B267 287C E632

What is the decimal value of the unsigned integer in big-endian and little-endian, respectively?

Exercise 3 (Usage of dd and hash values)

The tool dd is commonly used in forensics to get a 1-to-1 copy of a data structure (e.g. an HDD, a
USB stick, an SD card, a partition). Go through the manual of dd and find the correct dd-syntax
to solve the following tasks:

(a) Copy the first partition of the device /dev/sda to the file image-sda1.dd in the current
directory.

(b) Copy the first 1000 bytes of vorlesung_forensik_ws11-12_kap00_inhalt.pdf to the file

lecture-start.dd. Use a hex dump viewer to show the correctness of your command.
Additionally, compute the SHA-256 value of lecture-start.dd.
(c) Copy the final 1024 bytes of vorlesung_forensik_ws11-12_kap00_inhalt.pdf to the file
lecture-end.dd. Use a hex dump viewer to show the correctness of your command.
Additionally, compute the SHA-256 value of lecture-end.dd.
(d) You have an image of a small partition denoted by image.dd. Its size is 100 MiB. You want
to hide the file picture.jpg in the image, starting at offset 1 MiB of the image. The rest of
the partition image must remain unmodified.
(e) Please enumerate conversion flags of dd, which are reasonable to be used within the securing
phase of a forensic investigation.
(f) An alternative to dd is the tool ddrescue. Which advantage of ddrescue compared to dd do
you see? Please give the syntax of the ddresue command for part (a).