Hochschule Darmstadt

WS 2011/2012
Department of Computer Science
2011-10-12
Master of Computer Science
Harald Baier, Frank Breitinger and Björn Roos

Computer Forensics, Exercise 1

Exercise 1 (Foundations)

For i ∈ N0 let Bi denote the i-th byte in a byte string. You must not use technical
support in this
exercise, i.e. you are expected to find the answers using paper and pencil.
However, you may use
an ASCII table.

(a) You copy the bytes B100 B101 · · · B1000 . How many bytes do you process? What
is the answer
in the general case Bn Bn+1 · · · Bm with n, m ∈ N0 , n ≤ m?
(b) Let B0 = 11010011 be an unsigned integer. What is its decimal value? Write B0
in hexade-
cimal, too.
(c) Write the decimal number 2011 in binary and hexadecimal.
(d) What is the binary representation of 0xAB12D?
(e) What is the hexadecimal encoding of the word Forensics, if ASCII is used?

Exercise 2 (Big-endian vs. little-endian)

In computer science you are often confronted with a different organisation of

multi-byte values.
Two common ways to order the bytes are big-endian (e.g. SUN Sparc, Motorola
PowerPC) and
little-endian (e.g. Intel x86 systems).

(a) Give a definition of both types of endianness.

(b) An unsigned integer of length 4 bytes (e.g. the address of the first sector of
a partition) is
stored within the bytes B2 B3 B4 B5 (remark: the first byte is B0 ) of the
following byte
sequence:

01A3 B267 287C E632

What is the decimal value of the unsigned integer in big-endian and little-
endian, respectively?

Exercise 3 (Usage of dd and hash values)

The tool dd is commonly used in forensics to get a 1-to-1 copy of a data structure
(e.g. an HDD, a
USB stick, an SD card, a partition). Go through the manual of dd and find the
correct dd-syntax
to solve the following tasks:

(a) Copy the first partition of the device /dev/sda to the file image-sda1.dd in
the current
directory.

(b) Copy the first 1000 bytes of vorlesung_forensik_ws11-12_kap00_inhalt.pdf to

the file
lecture-start.dd. Use a hex dump viewer to show the correctness of your
command.
Additionally, compute the SHA-256 value of lecture-start.dd.
(c) Copy the final 1024 bytes of vorlesung_forensik_ws11-12_kap00_inhalt.pdf to
the file
lecture-end.dd. Use a hex dump viewer to show the correctness of your command.
Additionally, compute the SHA-256 value of lecture-end.dd.
(d) You have an image of a small partition denoted by image.dd. Its size is 100
MiB. You want
to hide the file picture.jpg in the image, starting at offset 1 MiB of the
image. The rest of
the partition image must remain unmodified.
(e) Please enumerate conversion flags of dd, which are reasonable to be used within
the securing
phase of a forensic investigation.
(f) An alternative to dd is the tool ddrescue. Which advantage of ddrescue compared
to dd do
you see? Please give the syntax of the ddresue command for part (a).