SEC201.1 Computing Fundamentals

||||||||||||||||||||
SEC201.1 Intro to Computer Fundamentals
Computing Fundamentals
©2017 James Lyne

All Rights Reserved
This page intentionally left blank.
||||||||||||||||||||
||||||||||||||||||||
Day One Intro
• Today we will take an in-depth look at how computers function

• Without understanding how something works, you can’t leverage
that knowledge into finding a weakness
• Today is the most critical day in the course. If you are struggling
make sure you tell the instructor!
• Labs will start from Day Two onwards. Today is just theory.
SEC201 | Intro to Computer Fundamentals 2
Day One Intro
In this book we will be taking an in-depth look into how computers function. These foundational concepts are often the first things taught in a Computer
Science degree, and for good reason. Although it is possible to enter the security industry without understanding these concepts, students who do so will
often lack the knowledge that more advanced concepts are based on. This often shows through on more advanced courses, where the attacks start to take
advantage of low-level computing concepts. This can cause students to struggle later on.
||||||||||||||||||||
||||||||||||||||||||
TABLE OF CONTENTS (1) PAGE
Components of a Computer 13
Motherboard 14
Central Processing Unit (CPU) 15
Random Access Memory (RAM) 16
Storage 17
Graphics Card (GPU) 18
What Is an Operating System? 20
What Is a Kernel? 21
What Is a Process? 22
What Is an interrupt? 23
Boot Loaders 24
Bits 27
||||||||||||||||||||
||||||||||||||||||||
Counting 28
Counting in Binary 30
Counting in Hexadecimal 32
Negative Numbers 35
Two’s Complement 38
Notation 39
EXERCISE: Alternative Numbering Systems 40
Operating Systems: Windows 43
Operating Systems: Linux 44
Operating Systems: Mac OS X 45
Virtualisation 46
Virtual Machine Types 47
||||||||||||||||||||
||||||||||||||||||||
Virtualisation in Security 49
Virtualisation Applications 50
DEMO: Using VMware Workstation Player 51
Types of Networks 74
Network Hardware 75
Network Hardware: Router 76
Network Hardware: Switch 77
Network Hardware: Hub 78
Network Hardware: Network Cards 79
OSI Model 80
OSI Model: Application Layer 82
OSI Model: Presentation 83
||||||||||||||||||||
||||||||||||||||||||
OSI Model: Session Layer 84
OSI Model: Transport Layer 85
OSI Model: Network Layer 86
OSI Model: Data Link Layer 87
OSI Model: Physical Layer 88
IP Addresses 89
IP Addresses: IPv4 90
IP Addresses: IPv6 91
IP Addresses: Private Addressing 92
IP Addresses: Public Addressing 93
IP Addresses: Netmask 94
IP Addresses: CIDR 95
||||||||||||||||||||
||||||||||||||||||||
IP Address: Broadcast 97
MAC Addresses 98
ARP 99
DNS 101
DNS: Reverse Lookup 103
DHCP 104
Packets 105
Protocols 106
Ports 107
Packets Continued… 109
TCP/IP Model 110
Application Layer Protocols 112
||||||||||||||||||||
||||||||||||||||||||
Transport Layer Protocols 113
TCP Protocol 114
TCP Header 115
TCP Handshake 116
TCP Teardown 117
TCP Reset 118
UDP Protocol 119
UDP Header 120
Ports Continued… 121
Internet Layer 122
Internet Protocol 123
IPv4 Header 124
||||||||||||||||||||
||||||||||||||||||||
IPv6 Header 125
ICMP 126
ICMP Header 127
Network Access Layer 128
Ethernet Frame 129
TCP/IP Model – Putting it all together 130
Encoding 133
Encoding – ASCII 134
Encoding – ASCII Table 135
Encoding – URL 136
Encoding 137
Encryption 139
||||||||||||||||||||
||||||||||||||||||||
Encryption – Symmetric 142
Encryption – Asymmetric 144
Encryption – HTTPS 147
Encryption – Hashing 150
CPU – Components 157
CPU – Arithmetic Logic Unit 158
CPU – Control Unit 159
CPU – Registers 160
CPU – Architectures 162
CPU – Clock Rate 163
CPU – Fetch 164
CPU – Decode 165
||||||||||||||||||||
||||||||||||||||||||
CPU - Execute 166
Memory – In Depth 167
Memory – Addressing 170
Storage – In Depth 172
Storage – FAT32 176
Storage – NTFS 177
Storage – ExFAT 178
Storage – Ext3 179
Storage – Ext4 180
Storage – HFS+ 181
GPU – In Depth 182
||||||||||||||||||||
||||||||||||||||||||
Hardware Components
Hardware Components
||||||||||||||||||||
||||||||||||||||||||
Components of a Computer
A computer is made up of several components:

• Motherboard
• Central Processing Unit (CPU)
• Graphics Card (Optional, Graphics may be handled by CPU/Motherboard)
• Random Access Memory (RAM)
• Storage (e.g. Hard Disk)
• Input Devices (e.g. Mouse, Keyboard)
• Output Devices (e.g. Monitor, Speakers)
We will be touching on some of these now, and will return to look at
them in more depth later in this book
Components of a Computer
The key components that make up a computer are:
• Motherboard – Connects the various components together.

• Central Processing Unit (CPU) – Responsible for executing instructions in computer programs.
• Graphics Card (GPU) – Responsible for drawing graphics on the screen. Can be part of the CPU or Motherboard, but a dedicated GPU is more
powerful.
• Random Access Memory (RAM) – Fast storage which degrades over time without power.
• Storage (e.g. Hard Disk) – Slower than RAM, but data does not degrade when there is no power to the medium.
• Input Devices (e.g. Mouse, Keyboard)
• Output Devices (e.g. Monitor, Speakers)
Of course there are additional components such as the power supply - but the key ones are discussed here.
||||||||||||||||||||
||||||||||||||||||||
Motherboard
• The Motherboard connects the other components of a computer

together
• Contains Read-Only Memory (ROM) on which the Basic Input
Output System (BIOS) or Unified Extensible Firmware Interface
(UEFI) firmware lives. This runs when the computer is powered on.
• Older motherboards use BIOS and newer
motherboards use UEFI
• Contains Buses which are the physical
connections between components
Motherboard
The motherboard connects the components of the computer together. The motherboard contains Read-Only Memory (ROM) on which the firmware that
runs the computer lives. Firmware is defined as software that is programmed onto read-only memory. The two main types of firmware found on
motherboards are BIOS (Basic Input Output System) and UEFI (Unified Extensible Firmware Interface).
Older motherboards use BIOS or Basic Input Output System, while newer motherboards use UEFI or Unified Extensible Firmware Interface for the boot
process. The boot process is also known as ‘Bootstrapping’. It is the process of loading a small program into memory which in turn loads other programs
(including the Operating System). In addition, the boot process usually involves a series of tests to make sure hardware is functioning correctly.
||||||||||||||||||||
||||||||||||||||||||
Central Processing Unit (CPU)
• The CPU is the ‘brain’ of a computer, and executes the instructions

of a computer program
• Although it may not feel like it, a single processor can only perform
one task at a time
• The number of instructions processed every second, and the way in
which the computer determines the priority of executing each
instruction, can make the CPU appear like it can do many things at
once
• We’ll be looking at the CPU in more depth
later on in this book
Central Processing Unit
The CPU is the ‘brain’ of the computer. All tasks performed by the computer start at the CPU, which then sends signals to other components such as the
Hard Disk.
Each processor can perform only a single task at a time, although it often doesn’t feel like it. You might be listening to music playing on your computer at
the same time as writing an e-mail. Although you are performing both tasks simultaneously, this is only an illusion. A processor can perform a massive
number of tasks per clock cycle. By switching back and forth between different tasks, a processor gives users the impression that it is doing multiple things
at once. Computers perform tasks much quicker than humans and therefore we often cannot tell the difference.
There are CPUs available with multiple ‘cores’. Each core is actually a small processor, so such CPUs are in fact capable of performing multiple tasks at
the same time. This is done by simply assigning each task to its own processor. Note the difference between the usage of CPU and Processor. A CPU refers
to the unit that is fitted to a computer, while there might be several processors or processing cores on a single CPU.
||||||||||||||||||||
||||||||||||||||||||
Random Access Memory (RAM)
• RAM is a form of data storage

• Faster than storing data on a Hard Drive or even a Solid-State
Drive (SSD)
• Volatile – the data stored degrades rapidly when there is no power
to the chips
• The operating system is read from Storage and placed into RAM
during the boot process. Likewise all running programs are copied
into RAM first.
• There will be more on this later
in the book
Random Access Memory (RAM)
Random Access Memory is a fast form of data storage. It is orders of magnitude faster than accessing hard disk storage.
Random Access Memory is volatile memory. The data stored on RAM rapidly degrades once power is no longer supplied to the chips. This means that
RAM does not usually survive a reboot.
Because RAM is much faster than Storage, programs are read from storage and loaded into RAM while they are running. This means the CPU can access
the instructions contained in the program more quickly. We’ll be looking more into how memory is laid out later in this book.
||||||||||||||||||||
||||||||||||||||||||
Storage
• Examples of storage might be a Hard Disk or SSD (Solid-State

Drive)
• Not to be confused with Memory or RAM
• Non-volatile – Data does not degrade when powered off
• Comparatively slower than RAM
Storage
Storage is a non-volatile data store - the data contained does not degrade when no power is supplied. However, it is much slower than accessing RAM:
which is why typically data is read from Storage and loaded into RAM. This type of storage is most often a hard drive or SSD – however, it can also be
physical media such as a Blu-Ray or even DVD (if anyone still remembers those!).
A traditional hard drive is mechanical. It contains several platters – circular metal disks on which data is stored. An actuator arm moves the read/write head
as the platters spin. Data is encoded onto the platter using magnetic charge. A positive charge indicates a binary 1; a negative charge indicates a binary 0.
An SSD (Solid State Drive) on the other hand has no moving parts and therefore is considered to be somewhat more reliable than traditional mechanical
hard drives. They are also faster at reading data than mechanical hard drives. SSD drives have their own challenges, however. They are often rated for a
specific number of read or write operations and they will degrade beyond that point. Originally that number was feared to be quite low, but recent studies
have shown that the number is higher than anyone expected.
||||||||||||||||||||
||||||||||||||||||||
Graphics Card (GPU)
• A GPU is not always present. Sometimes the CPU/Motherboard

handles graphics, known as Integrated Graphics
• A specialised chip dedicated to processing graphics
• Highly efficient for number crunching tasks
• Faster than integrated graphics
Graphics Card (GPU)
The graphics card is responsible for processing graphics. It can be integrated into the CPU or Motherboard; however, more common these days is to have
the graphics card as a discrete component. GPUs are highly specialised processors that excel in number crunching tasks. This makes them perfect for fast
encryption tasks as well as for graphics - and therefore you often see them being used for tasks such as bitcoin mining, password cracking and gaming.
||||||||||||||||||||
||||||||||||||||||||
Software
Software
||||||||||||||||||||
||||||||||||||||||||
What Is an Operating System?
• An Operating System (OS) is software that manages hardware and

software resources
• E.g. Windows 10, Mac OS X, Red Hat Linux
• Acts as a bridge between computer programs and hardware devices
• Application programs usually need an OS to run
What Is an Operating System?
The operating system is software that manages hardware and software resources. Common operating systems include:
• Windows (XP, Vista, 7, 8, 10)

• Mac OS X / Mac OS Sierra
• Linux (Various distributions such as Red Hat Linux)
By no means is this an exhaustive list.
The operating system acts as a bridge between software and hardware. Most applications require an Operating System to run.
||||||||||||||||||||
||||||||||||||||||||
What Is a Kernel?
• A Kernel is a component of the Operating System

• It is the first thing to load on start up
• The core of an OS, responsible for:
• Allocating tasks to the CPU
• Allocating memory to running programs
• Allocating requests from/to applications for Input/Output
• Inter-process communication
• Runs in a protected area of memory (kernel space) - whereas a
user’s actions are performed in another part of memory (user
space)
What Is a Kernel?
The kernel is a critical component of an operating system. It is the first thing to load on start up, and the core of an operating system. It is responsible for:
• Allocating tasks to the CPU.

• Allocating memory to running programs.
• Allocating requests from/to applications for Input/Output.
• Inter-process communication.
The kernel is loaded into a protected area of memory known as Kernel Space. On the other hand, a user’s actions on the OS take place in user space, which
is a separate area of memory altogether.
||||||||||||||||||||
||||||||||||||||||||
What Is a Process?
• When a computer program is executed, it is loaded into memory

• This instance of the program is called a process. It contains the
code for the program, and the process state or its activity.
• Think of it like this:
• A program is a series of instructions. Like a shopping list, the list itself
doesn’t do anything on its own
• A person reads the shopping list, and then purchases the items on the list.
Halfway through the list, they have already bought some items and still need
to buy some more. This is the ‘state’ of the process.
What Is a Process?
When a computer program is executed, the instructions are read from Storage and loaded into Memory, ready for the CPU to start executing the
instructions. The instance of a computer program that is running in memory is known as a ‘process’. The process contains the code for the program, the
process state and its activity.
||||||||||||||||||||
||||||||||||||||||||
What Is an Interrupt?
• An interrupt is a signal that can be sent to the processor by

hardware or software components
• This signal indicates that an event needs immediate attention
• The processor then suspends its current activities, saving its state,
and calling an ‘interrupt handler’ to deal with the event
• Once the event that caused the interrupt is handled, the processor’s
state is restored
• An example of a hardware interrupt would be typing on a
keyboard. The keypress sends an interrupt signal, causing the
processor to read the keystroke.
What Is an Interrupt?
An interrupt is a signal that can be sent to the processor from hardware or software components. It ‘interrupts’ the normal flow of program execution, so
that an important event can be handled by the processor. The processor saves the state of its current task and calls an interrupt handler to deal with the
event.
Once the event that caused the interrupt has been dealt with, the processor retrieves the saved state of what it was doing before and continues.
Typical examples of interrupts would be pressing ctrl + alt + delete on Windows: this is a software interrupt.
Similarly, typing or moving the mouse generates an interrupt: this is a hardware interrupt. Imagine if typing or moving the mouse did not cause an
interrupt. You wouldn’t be able to see the mouse cursor move until the processor had finished dealing with whatever it was doing. The cursor position
would be updated suddenly, and you wouldn’t be able to see the cursor move again until the processor had time to update its position on your screen.
||||||||||||||||||||
||||||||||||||||||||
Boot Loaders (1)
• A boot loader is a small computer program which starts when a

computer is booted up
• The boot loader then performs hardware diagnostics before loading
the Operating System
• Modern computers use a UEFI (Unified Extensible Firmware
Interface) boot loader, where as older computers use BIOS (Basic
Input Output System)
Boot Loaders (1)
A boot loader is a small computer program which starts when a computer is booted up. The boot loader performs tasks such as hardware diagnostics, and
also knows which disk to look at for an Operating System. Then the Operating System will be loaded into Memory by the boot loader, ready for the
processor to start executing those instructions.
This process is also known as ‘bootstrapping’, a reference to ‘picking yourself up by your own bootstraps’. The idea is that a smaller program is loaded in
order to load a larger program.
||||||||||||||||||||
||||||||||||||||||||
Boot Loaders (2)
• The boot loader

controls things such as
which disk to look for
the OS Software on
• You can enter the
setup mode of the boot
loader by following the
instructions on-screen
when your computer
boots. E.g. “Press ‘del’
to enter SETUP”.
Boot Loaders (2)
The boot loader controls things such as which disk to look for the OS software on first (boot order), RAM timings, processor clock speed, etc.… All of
these settings can be tweaked (at your own peril!) in the BIOS settings. To get to the BIOS settings, you need to follow the instructions when the computer
first starts. It may say something like Press ‘del’ to enter SETUP. The exact key to hit to enter the BIOS settings screen depends on the BIOS itself and can
vary from computer to computer.
||||||||||||||||||||
||||||||||||||||||||
Numbering Systems
Numbering Systems
||||||||||||||||||||
||||||||||||||||||||
Bits
• A bit is the smallest value that is represented in a computer.

Everything is made up of bits.
• A bit is a Boolean value, which means it can only have two values.
This is usually represented as a 1 or a 0, however it can also be
shown as ‘True’ or ‘False’.
• A group of 8 bits is called a ‘byte’
• Amusingly, a group of 4 bits, or half a byte, is known as a ‘nibble’
• 00101010 is a byte. It represents the decimal number ‘42’ or, in
ASCII, the character ‘*’.
(Also, the meaning of life, the universe and everything)
Bits
A bit is the smallest value that can be represented by a computer. They are the ‘building blocks’ of which everything is made up.
A bit is a Boolean value - in other words, it can only have two possible values: True or False. This can also be represented as 1 or 0.
Each group of 8 bits is called a ‘byte’, and a group of four bits is called a ‘nibble’ (Half a byte is a nibble. Get it?)
||||||||||||||||||||
||||||||||||||||||||
Counting (1)
• Before we can look into Bits in any more detail, we need to re-learn
how to count
• Counting is easy because we learn it from such a young age - we
can do it without giving it any thought at all - but it is important to
understand how it works
• Humans count in Base 10 (Decimal). That is, we start from 0 and
then count up until 9. When we get to 9 we’ve run out of numbers
that we haven’t used. Therefore we add a 1 to the left of the number
and roll the 9 back around to a 0.
Counting (1)
Before we can go any further in this course we have to re-learn how to count. We’ve all been counting since a very young age - it’s almost as natural as
breathing - and this is kind of a problem. That’s because we don’t really think about the process of counting any more.
Humans count in Base 10 - also known as Decimal, or Denary. This means we start from the number 0, count up to 9, and then stop. We stop because
we’ve run out of digits to use. (10 isn’t a digit, it’s two digits). Because we’ve run out of digits to use, the 9 becomes a zero and we put a 1 to the left of it.
We know this to be 10.
||||||||||||||||||||
||||||||||||||||||||
Counting (2)
• Let’s look at it another way:
Counting (2)
Okay, let’s look at the number 3211.
Unlike with Binary and Hexadecimal, which you’ll see in a moment, it’s easier for humans to read these numbers from left to right.
There are three 1000s.

There are two 100s.
There is one 10.
There is one 1.
Add those up:
(3 * 1000) + (2 * 100) + (1 * 10) + (1 * 1) = 3211
||||||||||||||||||||
||||||||||||||||||||
Counting in Binary (1)
• Let’s apply the same rules to counting in Binary. Binary is Base 2.

There are only two numbers: 0 and 1
• Starting at 0, you count to 1. After that, you add a 1 to the left and
roll the 1 back to a 0.
• Here’s how it goes:
0, 1, 10, 11, 100, 101, 110, 111, 1000, 1001, 1010, 1011
• In decimal that would be:
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11
Computers don’t count in Denary - they count in Binary. Binary is known as Base 2, but the same principle applies to it as Base 10.
In Binary there are only two possible digits: 0 and 1. Once you reach 1, it becomes a 0 again - and a 1 is placed to the left of the value. So let’s count to 15
in binary:
0, 1, 10, 11, 100, 101, 110, 111, 1000, 1001, 1010, 1011, 1100, 1101, 1110, 1111
In Decimal or Denary that would be:
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
Did you ever hear the old joke, ‘There are 10 types of people in this world: those who understand binary and those who don’t”? Well, now you should
understand it.
Technet24
||||||||||||||||||||
||||||||||||||||||||
• It’s easiest to read binary from right to left as the smallest value is
on the right
• Let’s look at it this way:
From right to left this is how to work it out:
Do we have any 1s? No, then next number…

Do we have any 2s? Yes. We have a 2.
Do we have any 4s? No, next number.
Do we have any 8s? Yes, one 8.
Do we have any 16s? No, next number.
Do we have any 32s? Yes one 32.
Do we have any 64s? No.
So then we add up the numbers that we do have to get the decimal value.
In this case:
2 + 8 + 32 = 42
||||||||||||||||||||
||||||||||||||||||||
Counting in Hexadecimal (1)
• Binary is how a computer ‘thinks’, but for humans it’s really

inconvenient
• It takes a lot of digits to represent a number, so it’s difficult to write
and remember
• We use Hexadecimal to get around that. Hexadecimal is Base 16.
• Does anyone see a problem with that?
• We only have digits going up to 9, so how do we represent a
number in Base 16?!
Binary is inconvenient. Even if humans understand it, the numbers become too long and take up too much space to write or remember easily. To get around
that we use Base 16, or Hexadecimal, as a kind of shorthand.
Hexadecimal has a problem, however. Since humans count in Base 10, we don’t have digits that can represent values beyond 9….
Technet24
||||||||||||||||||||
||||||||||||||||||||
• The solution is to use letters. In hexadecimal you could count from

0 to 9 as you would in decimal. Then when you get to 9 you use
letters A – F.
• 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F, 10, 11, 12, 13, 14, 15, 16, 17,
18, 19, 1A, 1B, 1C, 1D, 1E, 1F, etc.
• Even though there is ‘10’ in hexadecimal, its value is different from
a decimal ‘10’. Keep that in mind!
To get around that, we use letters to represent digits greater than 9. We go from 0 – 9 as usual, then we use A – F to represent the other digits.
Of course, just because we use the same digits does not mean the value is the same as in Denary. Take for example ‘10’.
If it is 10 in hexadecimal, then the true value in denary would be 16. This shows how important it is to know which number system is being used when you
are counting.
||||||||||||||||||||
||||||||||||||||||||
• Let’s look at it the same way we did binary:
This is very similar to how we looked at Binary numbers: the only difference is that in Binary you either had a number or you didn’t – but here you can
have multiples of numbers. For example, there is one 16 here but there are four 4096s.
Let’s break it down from right to left:
We have 15 1s.
We have one 16.
We have ten 256s.
We have four 4096s.
So add that all up and we have:
(15 * 1) + (1 * 16) + (10 * 256) + (4 * 4096) = 18975
Technet24
||||||||||||||||||||
||||||||||||||||||||
Negative Numbers (1)
• An integer is a whole number. We’ll learn more about them in the

programming book.
• In a computer we need some method of representing negative
numbers. We can do this using a ‘signed integer’.
• If the computer expects a number to be ‘signed’ then it means it
ignores the most significant bit and counts it as the ‘sign bit’
• If the ‘sign bit’ is a 0, the number is positive. If it is a 1, the number
is negative.
So we’ve seen how to represent positive numbers in Binary, but where do negative numbers come in?
A whole number is called an ‘integer’. To represent a negative number we need to use a ‘sign bit’. When an integer contains a signed bit, it is called a
‘signed integer’ and it can represent either positive or negative whole number values.
Of course, if we use a sign we lose one bit that becomes the sign bit - that is usually the MSB or Most Significant Bit (the one with the highest value). For a
32-bit Integer value that means we go from being able to represent 0 - 4,294,967,295 values to −2,147,483,648 to 2,147,483,647.
||||||||||||||||||||
||||||||||||||||||||
• Let’s look at the integer: 11111111

• If the computer reads this as an unsigned integer, the value is: 255
• If the computer reads this as a signed integer, the value is: -1
• Let’s look at how it is calculated. The leftmost 1, or most significant
bit, is the sign bit so it indicates the number is negative. So
knowing the sign we can ignore that bit.
• The number becomes: 1111111
The integer value: 11111111
As an unsigned integer, the value is 255.
As a signed integer, the value is -1.
To understand how this works, we need to look at how negative numbers are calculated. The leftmost bit, or the MSB (Most Significant Bit), is the sign bit.
The bit is a 1 so that indicates the number is negative.
Since we know the number is negative, we ignore the sign bit.
The integer value is now: 1111111
Technet24
||||||||||||||||||||
||||||||||||||||||||
• Now we need to negate the number. Starting from the right, go to

the first ‘1’ and then invert every digit to the left of it.
• So 1111111 becomes 0000001
• Which, in denary, leaves us with the number 1
• We found out earlier that the number was negative so it is -1
• Wait, how does that work?!
• Well, negative numbers are calculated using a system called Two’s
Complement
So taking the negative signed integer value: 1111111
We go to the first ‘1’ starting from the right. Then we invert (make a 1 into a 0 and a 0 into a 1) every digit to the left of that first 1.
So: 1111111 becomes 0000001
0000001 in Denary is 1.
We know because of the sign bit that the number is a negative, so therefore its value is -1.
So 11111111 as a signed integer is -1.
This method of calculating negative values is called Two’s Complement.
||||||||||||||||||||
||||||||||||||||||||
Two’s Complement
• Two’s Complement is a method of negating a number,

transforming it from negative to positive or the other way around
• Let’s look at this binary number: 00000110. As a signed integer
this value is 6. How do we find out -6?
• As we did before: from the right go to the first 1, then from the left
of that 1 invert all the digits
• So we get: 11111010
• The first digit on the left indicates it’s a negative number. Re-apply
two’s complement to get 0000110 which is 6. So -6.
Two’s Complement
Two’s complement is a way of turning a positive number into a negative number or a negative number into a positive number (negating it).
Take the binary number: 000000110. As a signed integer, this has the denary value 6. If we want to represent -6 we could use two’s complement. First,
from the right go to the first 1, then from the left of that 1, invert all the digits. We end up with: 111111010. The first digit on the left is the sign bit,
indicating it is now negative. Re-apply two’s complement ignoring the left most sign bit and you get: 0000110 which is 6. So we can see how we went
from 6 to -6 and then back.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Notation
• There’s a standard for writing numbers in different numbering

systems
• This is to avoid confusion, because 20 in hexadecimal is not 20 in
decimal
• You may see these standards used in a lot of places, so it is
important to understand them
• A binary number will often be prefixed with a 0b. E.g.: 0b1101
• A decimal number will often be prefixed with a 0d. E.g. 0d81
• A hexadecimal number will often be prefixed with a 0x. E.g. 0x20
Notation
We’ve covered a lot to do with numbers. Perhaps the most confusing part is: how do we know which number is written, and in what numbering system?
We already know that 10 in Denary, 10 in Binary and 10 in Hexadecimal all have totally different values.
We use notation to tell the difference. The standard when you are using multiple numbering systems is to write them with notation.
0d is for denary: 0d10 is the decimal number 10.

0b is for binary: 0b10 is the binary number 10, 2 in denary.
0x is for hexadecimal: 0x10 is for the hexadecimal number 10, 16 in denary.
You might also see \ used instead of a 0, e.g. \x10
||||||||||||||||||||
||||||||||||||||||||
Exercises
• Perform the following calculations and fill in the answers…

• Check your answers against the solutions on the next page
• If you are struggling, ask for help!
Binary to Decimal
Convert the following binary numbers into decimal:
3. 10010100: __________________________
1. 11011101: __________________________
4. 11100011: __________________________
2. 11100101: __________________________
Decimal to Binary
Convert the following decimal numbers into binary: 3. 681: _________________________________
1. 59: __________________________________ 4. 1024: ________________________________
2. 192: _________________________________
Two’s Complement 3. -22: __________________________________
Represent the following decimal values in signed 8 bit binary values:

4. -3: ___________________________________
Technet24
||||||||||||||||||||
||||||||||||||||||||
1. -42: __________________________________
2. -91: __________________________________
||||||||||||||||||||
||||||||||||||||||||
Exercise Answers
• Warning! Answers below.

• Don’t look if you haven’t done the exercises on the previous page
Binary to Decimal
Convert the following binary numbers into decimal:
3. 10010100: 148
1. 11011101: 221
4. 11100011: 227
2. 11100101: 229
Decimal to Binary
3. 681: 001010101001
Convert the following decimal numbers into binary:
4. 1024: 010000000000
1. 59: 111011
2. 192: 11000000
3. -22: 11101010
Two’s Complement
4. -3: 11111101
Technet24
||||||||||||||||||||
||||||||||||||||||||
Represent the following decimal values in signed 8 bit binary values:
1. -42: 11010110
2. -91: 10100101
||||||||||||||||||||
||||||||||||||||||||
Operating Systems
Operating Systems
Technet24
||||||||||||||||||||
||||||||||||||||||||
Operating Systems: Windows
• Windows Desktop Operating Systems

• Vista (End of support April 11th 2017)
• 7
• 8 / 8.1
• 10
• Windows Server Operating Systems
• Windows Server 2008
• Windows Server 2012
• Server Core (Stripped down server)
• Windows Server Datacentre
Operating Systems: Windows
Microsoft has a very large market share in the Desktop Operating System Market. Versions prior to Windows Vista are no longer supported by patches and
updates which means that they can’t be considered secure.
Windows Server 2003 and prior are also no longer supported by patches and updates and should no longer be used.
Server Core is a more recent release from Microsoft: it is a stripped down version of Windows Server. With Server Core, you can only access the
command prompt and a very limited set of GUI features (such as registry editor).
Windows Server Datacentre edition is not available without a support contract from Microsoft.
||||||||||||||||||||
||||||||||||||||||||
Operating Systems: Linux
• Comes in many ‘flavours’ (distributions)

• They all have one thing in common: the Linux kernel
• Desktop and Server versions are available
• Desktop versions have a small market share, slowly
gaining traction
• Linux is mainly used as a Server
• You will use Desktop and Server versions A LOT. Many security
tools are written only for Linux.
Operating Systems: Linux
Linux comes in many different distributions. They all share one thing in common, however, and that is the Linux Kernel. Many distributions are tailored
for either Server use or Desktop use. Desktop versions tend to come with a GUI (Graphical User Interface), whereas Linux server distributions tend to have
everything unnecessary stripped out, including the GUI. Linux is most commonly used as a server OS, but recent changes in usability have started to shift
this perception, with distributions such as Ubuntu aiming to make Linux easier to use for non-technical users.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Operating Systems: Mac OS X
• Mainly used as a Desktop

• Server does exist, but it is not widely used
• Unix-based, which makes it similar to Linux in some ways
Operating Systems: Mac OS X
The Mac Operating System is mainly seen in Desktop form, although there is a server OS. The Server is not commonly seen. The Mac platform on the
whole is based on Unix, which is similar in many ways to Linux. This means that the Mac Operating System is underpinned with similar capabilities to
many Linux distributions, including a Terminal and many terminal commands which will seem familiar to Linux users.
||||||||||||||||||||
||||||||||||||||||||
Virtualization
Virtualization
Technet24
||||||||||||||||||||
||||||||||||||||||||
Virtualization
• Hardware Virtualisation is the creation of a ‘Virtual Machine’

through software or firmware, which acts like real computer
hardware
• Operating Systems can be installed on Virtual Machines as if they
were real physical computers
• Virtualisation allows software to run virtually on the same
hardware
• Virtual Machines are isolated. Software running on a Virtual
Machine cannot interact with the non-virtualized Operating System
Virtualization
Virtualization is the process of using software to mimic hardware components. These components are ‘virtual’; however, they behave like real computer
hardware. We can install an Operating System on these Virtual Machines as if they were physical computers.
The benefit of using Virtual Machines is that they are isolated and cannot interact with the host running the virtualisation software. This is particularly
useful for high risk activities such as malware analysis (oops, I double clicked it by mistake!). Make sure you disable the network card in the virtual
machine if you’re going to do that, though!
It’s also incredibly useful to be able to run multiple operating systems on one computer without having to restart to switch between them. There are many
security tools which only run on one particular operating system, so you’ll be using virtualisation a lot in the security industry.
||||||||||||||||||||
||||||||||||||||||||
Virtual Machine Types
• There are two types of Virtual Machines:

• OS-Level
• Application-Level
• Host OS
• Guest OS
Virtual Machine Types
OS-Level Virtual Machines are the most common type of Virtual Machine. It allows multiple Operating Systems to run virtually on the same hardware.
With OS-Level Virtual Machines, the Operating System that runs the Software that creates the Virtual Machines is known as the ‘Host OS’. The Operating
Systems that run on the Virtual Machines are known as the Guest OS(es).
Application-Level Virtual Machines allow an application to run in a separate Virtual Machine. This means that should the application be compromised the
whole computer cannot be taken over.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Virtualization in Security
• Virtualization is extremely important for security people

• We often need both Windows and Linux at the same time
• Dual-boot is an option, but having to reboot every time you need to
switch back and forth is inefficient
• Additionally, Virtual Machines are isolated from the host. This
makes it ideal for doing risky things such as examining malware
(but make sure you disconnect the network adapter!).
• Many Virtualisation applications support snapshotting which
allows you to save the state of a system and rollback to the
snapshot
Virtualization in Security
Virtualization is extremely important for security people. We often need both Windows and Linux at the same time. Of course, dual-boot (the practice of
installing two operating systems on one hard disk) is an option but in that case you would have to reboot to switch back and forth. With virtualization we
can run both Windows and Linux at the same time without the inconvenience of having to reboot every time you need to swap between them.
Virtual machines have an additional benefit of being isolated from the host. This is particularly good for malware analysis (but do yourself a favor and
disable the networking in the virtual machine so the malware doesn’t spread over the network). Additionally, many Virtualisation applications support
snapshotting which allows you to save the state of a virtual machine at a particular point in time (like when you have a known good configuration) so that
you can revert to the snapshot and have a working Operating System without having to re-install the Operating System.
||||||||||||||||||||
||||||||||||||||||||
Virtualization Applications
• VMware
• VMware Workstation (Windows / Linux) (Paid)
• VMware Player (Windows / Linux) (Free)
• VMware Fusion (Mac) (Paid)
• VirtualBox (Windows / Linux / Mac) (Free)
• In this course we will be using VMware. You can use any of the
various versions listed above.
Virtualization Applications
There are many applications out there that support virtualisation. We’re going to be using VMware in this course, but you should be able to use VirtualBox
also if you prefer so long as you translate the steps to your application.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Demo: Using VMware Workstation Player (1)
• We’re going to walk through the usage of VMware Workstation

Player with you now
• When you first open VMware, you should see something that looks
like this…
When you first open VMware you will be greeted by the home screen where you can choose to create a new virtual machine or open an existing one.
||||||||||||||||||||
||||||||||||||||||||
Technet24
||||||||||||||||||||
||||||||||||||||||||
• From here we can create a new Virtual Machine, or open an

existing one
• Existing VMs will be listed down the sidebar under ‘Home’
• In our case, we didn’t have any just yet
• Let’s show you how to create a virtual machine…
• We can do that by clicking on ‘Create a New Virtual Machine’ or
going to it from the Player dropdown menu in the top left
Existing Virtual Machines can be found to the left under ‘Home’, if you don’t have any yet it will be blank. You can create a new virtual machine by
clicking on ‘Create a New Virtual Machine’ or from the Player dropdown menu in the top left.
||||||||||||||||||||
||||||||||||||||||||
Technet24
||||||||||||||||||||
||||||||||||||||||||
• From this wizard we can specify the installation media we want to

use when the Virtual Machine is created
• We can choose either to use Media that is in the disk drive of the
computer
• We can use an ISO image file that was downloaded to the computer
• Or we can choose to install the OS later. If we choose this route, the
computer will only have a BIOS and we will be able to add
installation media to the virtual disk drive and boot into the OS
installer that way.
From the Virtual Machine creation wizard you can specify the installation media you want to use to install the Operating System when the Virtual Machine
is created. You can use a DVD or Blu-Ray disk in your physical disk drive if you have one, or you can specify an image file such as an ISO that was
downloaded to your computer. You can also choose to install the OS later. If you go that route, the Virtual Machine will only have a BIOS on it. You will
need to install the OS by mounting a Virtual disk drive to it and mounting an ISO image to that or mirroring the virtual disk drive to your physical disk
drive.
||||||||||||||||||||
||||||||||||||||||||
• After selecting the installation media, you may have to tell VMware
what OS you are installing if it cannot detect it automatically
• If it does get detected, you may be given the option of ‘easy install’
which is where you tell VMware what settings you want to use such
as product key, username, password, etc.
• Then VMware will install the OS with those settings without you
having to do anything
Once you have specified the installation media, VMware will need to know what Operating System you are planning to install on it. Sometimes it can do
the detection automatically, but if automatic detection fails you will need to pick the right OS option from the dropdown. VMware has a convenient feature
called ‘easy install’ which is available for some Operating Systems (such as the Ubuntu Linux distribution) depending on which one you are trying to
install. With easy install, VM\ware will ask you for all the information the OS installer will ask for, and then it will fill it in automatically for you when it
starts the installation. This is very convenient if you want to leave it to install and come back later. If your OS does not support easy install, you will have
to follow the installation steps to install the OS just as if you were installing that OS on a real computer.
Technet24
||||||||||||||||||||
||||||||||||||||||||
• You will be prompted to save the VM somewhere and give it a

name...
You will have to specify where you want to save the files for the Virtual Machine.
||||||||||||||||||||
||||||||||||||||||||
• Then you’ll have the chance to assign it hard disk space

• By default, VMware will split up the disk image into multiple files
• It will slow down disk speed within the VM a little – however, it
makes it much easier to move the VM around to other devices if
you leave it split up into smaller files
• Usually you will want to leave it at splitting the disk up into pieces
You’ll have to specify how much hard disk space you want to assign, and if you want to split the disk up into multiple files. This is useful if you want to be
able to copy the Virtual Machine onto other disks and carry them around with you. It’s easier to copy several smaller files than one very large file. Splitting
the disk does make the virtual disk somewhat slower than if you keep it in one large file, but in most cases the convenience of splitting the disk up
outweighs the minor speed decrease.
Technet24
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
• VMware will set the hardware specification to a reasonable set of

defaults for the OS you are installing
• You can customise it if you wish, by clicking on ‘Customise
Hardware’ on the review page just before the VM is created
VMware will configure the rest of the hardware for you with what it believes to be reasonable defaults for the Operating System you are installing. For
example, Windows usually gets 2GB of RAM at least while most Linux distributions will be given 512MB. You can customise these defaults, and we
recommend you do so to increase RAM if you have enough spare on your computer.
Technet24
||||||||||||||||||||
||||||||||||||||||||
• Then you’ll have to decide what hardware specification your VM

will have
• Make sure your computer is powerful enough to handle losing
those resources
• Don’t give your Virtual Machine 8GB of RAM if your computer only
has 8GB of RAM in total!
• At the same time, make sure the OS you are running in the VM has
enough resources to run properly
• Don’t give Windows less than 2GB of RAM or it won’t be happy!
When customising your VM hardware, make sure your computer is powerful enough to handle it when you assign more resources to a virtual machine.
Don’t assign 8GB of RAM to your VM if your host only has 8GB of RAM in the first place, your host needs some RAM to function too. Similarly if you
have 4GB of RAM to spare on your host, don’t run two VMs at once that both have 4 GB of RAM. Windows isn’t happy about having less than 2GB of
RAM either so you need to account for that.
||||||||||||||||||||
||||||||||||||||||||
• We can assign the VM more memory…
Here we can see how to assign the VM more memory.
Technet24
||||||||||||||||||||
||||||||||||||||||||
• Or more processor cores…
We can also assign more processor cores.
||||||||||||||||||||
||||||||||||||||||||
• You can change the CD settings (although don’t if your VM is going

to be installing the OS, you can see the ISO we’re using is already
loaded into the CD tray)
You can also change the CD settings, although you shouldn’t if your OS has yet to be installed. You can see here our Windows installation disk image is
loaded into the CD tray so that will run when we next boot the VM so that Windows can install.
Technet24
||||||||||||||||||||
||||||||||||||||||||
• You can change the network adapter type…
Here we can see the network adapter settings.
||||||||||||||||||||
||||||||||||||||||||
• The network adapter settings are perhaps the most important for
us
• Bridged Mode – In this mode, the VM will connect directly to the
network your host computer is connected to. It will have its own
individual IP address separate from the host OS.
• NAT Mode – In this mode, the VM will connect to the network
through the host computer. It will share the same IP address as the
host.
• Host Only Mode – In this mode, the VM will only be able to
connect to the host OS
The network adapter settings are a critical area to understand. Many people have been tripped up getting their Virtual Machines networked properly. The
three network adapter modes are:
Bridged Mode – In this mode, the virtual machine will connect directly to the network your host computer is connected to. It will have its own individual
IP address separate from your host computer.
NAT Mode – In this mode, the virtual machine will connect to the network through your host computer. It will share the IP address of the host, and have its
own separate internal IP address on a different subnet.
Host Only Mode – In this mode, the virtual machine will only be able to connect to the host OS and any other virtual machines that are running on the host
in host only mode.
Technet24
||||||||||||||||||||
||||||||||||||||||||
• Once the hardware is set, the VM can be created by clicking on

finish
• You should see a new window appear with the Virtual Machine
within
• The installation procedure for the OS should then start
Once the hardware is set, the VM can be created by clicking on finish. A new window will appear with the Virtual Machine within and the installation
process for the OS should start once the machine has booted.
||||||||||||||||||||
||||||||||||||||||||
Technet24
||||||||||||||||||||
||||||||||||||||||||
• Once we have our VM running, we can use it like any other

computer
• However, to make our lives easier, we should install VMware Tools
on the VM’s Operating System
• VMware tools will make it so that the resolution automatically
changes when we resize the VM window
• It has several additional useful features like a shared clipboard, and
drag and drop for copying files between the VM and the host OS
Once we have the VM running, we can use it like any other computer. It’s a good idea to install VMware Tools on the Virtual Machine’s Operating
System. VMware Tools will make it so that the resolution of the virtual machine automatically resizes based on the size of the window. It also has
convenient functionality like sharing a clipboard between the host and the guest operating systems, and it supports drag and drop of files.
||||||||||||||||||||
||||||||||||||||||||
• You can find ‘Install VMware Tools’ in the Player dropdown under
‘Manage’
• By clicking on it, a disk will automatically be mounted to the VM
• The disk will contain the VMware tools installer
• This also works under Linux – however, it is usually recommended
to use the Linux package manager to install the ‘open-vm-tools-
desktop’ package for your Linux distribution. The generic installer
is often problematic under Linux.
You can find ‘Install VMware Tools’ in the Player dropdown under ‘Manage’. By clicking on it, a disk will automatically be mounted to the VM. The disk
will contain the VMware tools installer. On Windows it’s a simple case of running the installer and rebooting.
There is also a copy of VMware Tools on Linux. You can mount the image the same way as you do in Windows, but it’s often better to use the package
manager included in your Linux distribution to install ‘open-vm-tools-desktop’. This package is usually optimised for that specific Linux distribution and it
can solve many problems the generic version of VMware Tools has.
Technet24
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
• At the top of the VM screen you might see a pause button. This is
the button that suspends the VM.
• Suspension isn’t the same as a shut down. A suspended VM is
frozen in time at the moment it was suspended.
• When you come back to it, you can resume the VM and you can
continue what you were doing before it was suspended
• Clicking on the down arrow next to the pause button allows you to
select other options such as shut down or restart
• Shut down is similar to holding the power button down on a
computer to force it to switch off, so beware. It’s usually better to
shut down from within the VM.
The pause button at the top of the VM screen can be used to suspend the virtual machine. This is different from shutting it down; a suspended virtual
machine is frozen in time at the moment it was suspended. You can resume it and continue where you left off without waiting for it to boot. Clicking the
down arrow next to the pause icon will let you choose from other buttons such as shutdown and restart. It’s important to note that these are hardware
actions, similar to holding down the power button on a physical machine and will not shut down the VM gracefully. Usually you want to restart or
shutdown from within the Virtual Machine through software, but you may need to use these buttons if there is a crash and you can’t get to the shutdown
within the guest OS.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Networks
Networks
||||||||||||||||||||
||||||||||||||||||||
Types of Networks
• Local Area Network (LAN)

• A computer network that connects computers within a limited or ‘local’
geographic area
• Typically the medium these days is Ethernet or Wi-Fi
• E.g. Home Network
• Wide Area Network (WAN)
• A computer network that connects computers within a large or ‘wide’
geographic area
• Often established via leased lines or VPN connections
• Can connect two or more LANs
• The Internet is the largest WAN in existence
Types of Networks
A Local Area Network or LAN is a computer network that connects computers within a limited or local geographic area. Typically this is done over
Ethernet cables or Wireless (Wi-Fi). These can be home networks or even office networks. Each computer on a local network will have its own private IP
address which is unique. These IP addresses are not typically addressable from the Internet.
Similarly, the entire network will typically only have a single public IP address per Internet connection. That means many computers will share a set of IP
addresses on the Internet. The process of converting between private IP addresses and public IP addresses is called NAT or Network Address Translation.
It was designed when the Internet was running out of IP addresses so that multiple computers could share a single IP address.
A Wide Area Network or WAN is a computer network that connects computers within a large or wide geographic area. Often these connections are
established via leased lines or VPN (Virtual Private Network) connections. It is possible to join multiple LANs into a WAN. A good example of this type
of network is the Internet.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Network Hardware
• Router
• Switch
• Hub
Network Hardware
We need to consider the different types of networking hardware which can make up a network. The key three are Routers, Switches and Hubs. We will
discuss each in depth.
||||||||||||||||||||
||||||||||||||||||||
Network Hardware: Router
• A router is a network device which is connected to at least two

networks. For example, a router in your home will be connected to
your LAN and also to the Internet.
• Also known as a ‘gateway’
• Decides which network to send data it receives
• For example: data coming from the Internet may be sent to your
LAN, and data coming from the LAN may be sent to the Internet
• The backbone of the Internet. Data is sent through many routers
before arriving at its destination.
Network Hardware: Router
A router is a network device which typically sits on the border between two networks and acts as a bridge to connect them. Typically a router will be
connected to both your LAN and to the Internet. The router’s job is to forward traffic onward from computers on the LAN to the Internet and from the
Internet back to the LAN. This behaviour is the reason a router is often called a ‘gateway’. On a wider scale, the Internet functions on a massive network of
routers which decide where to send traffic.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Network Hardware: Switch
• Connects devices together within a network

• Smart enough to only send data to the computer it is destined for
• Uses the MAC Address, also known as Hardware Address, which is
burned onto the Network Card of the computer to determine who
to send data to
• Often connected to a router. Some switches are also routers.
Network Hardware: Switch
A switch is responsible for routing traffic within a LAN. While a router can only decide if the traffic should be sent to the LAN or the Internet, the switch’s
job is to decide which computer on the LAN traffic should be sent to.
In order to do this, the switch looks at MAC addresses, or hardware addresses. These addresses are unique to each network card. A network protocol called
ARP (Address Resolution Protocol) maps IP addresses to MAC addresses. The switch keeps a table in its memory of which IP address maps to which
MAC address, and uses that to determine where traffic should be sent.
You may see cases where a Router also has the capabilities of a Switch built in. These are two-in-one devices, but you should make a clear delineation of
the responsibilities of each in your head.
||||||||||||||||||||
||||||||||||||||||||
Network Hardware: Hub
• A Hub is similar to a switch: it is used to connect devices together

on a network
• Sends all data to all computers on the network
• All Wi-Fi access points are hubs
Network Hardware: Hubs
A hub serves the same purpose as a switch, in that it is responsible for sending traffic on a local network. Unlike a switch, however, hubs are not
intelligent. They don’t decide which computer should have what traffic; instead, they send all traffic they receive to every computer connected to the hub.
When the computer receives such traffic, it then must decide to discard the data (if it wasn’t meant for that computer) or to accept the data.
Hubs are not commonly used anymore except for one purpose: Wireless. All Wireless access points are hubs, and that is the nature of wireless. A switch
can decide which computer to send data to because the computers are connected by cables to each port and the switch can choose which cable to send the
data through.
With wireless, however, data is transmitted over radio waves, and radio waves can’t be directed to specific computers. The nature of wireless means that all
traffic will be sent to every computer. This is the behaviour of a hub.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Network Hardware: Network Cards
• A network card exists in any computer that can connect to a

network
• Can come with Wired or Wireless capabilities
• Often not a separate card these days, and can be built into the
Motherboard
• Each card has a Hardware Address or MAC Address which
identifies it. This is used by a Switch to decide who to send data to.
Network Hardware: Network Cards
Network cards in a computer allow them to connect to networks. Some network cards are wired only, while some also support wireless. Some might even
be wireless only. Usually the functionality of network cards is built into the motherboard these days, but you can still buy them as separate cards and install
them.
Each Network Card (NIC – Network Interface Card) has a MAC address which is burned onto the card. The MAC address is how the Switch knows which
computer to send data to. Although the MAC address is burned into the network card, they can be spoofed at the Operating System level.
||||||||||||||||||||
||||||||||||||||||||
OSI Model (1)
• A conceptual model which shows how computer systems

communicate
OSI Model (1)
The OSI model is a way of describing how computer systems communicate.
Technet24
||||||||||||||||||||
||||||||||||||||||||
OSI Model (2)
• The OSI Model can also be called a ‘stack’

• You work down the stack from the Application Layer
• At the bottom of the stack, the data is transferred to the bottom of
the stack at another location
• Then you work up the stack from the bottom
• Often seen as complex, sometimes the description of the layers is
needlessly so
• We will cover it in basic terms only
OSI Model (2)
In the OSI Model, the sending computer works its way down the OSI model from the top. Each layer adds to the data packet. When you reach the bottom
of the stack, at the Physical Layer, data is transmitted to the receiving computer. The receiving computer, having received the data packet at the Physical
Layer, works its way back up the stack. As it moves it removes layers of data from the packet until it reaches the Application Layer, where the original data
is finally received by the application.
||||||||||||||||||||
||||||||||||||||||||
OSI Model: Application Layer
• The Application Layer is where user interaction occurs. It is here

that the user inputs data and receives data back.
• E.g. HTTP (Hyper Text Transfer Protocol), FTP (File Transfer
Protocol), SSH (Secure Shell), etc.
OSI Model: Application Layer
The application layer is where user interaction occurs. It is here that the user inputs data into the application and receives data back from the application.
Examples of Application Layer protocols are:
HTTP – Hyper Text Transfer Protocol

FTP – File Transfer Protocol
SSH – Secure Shell
Technet24
||||||||||||||||||||
||||||||||||||||||||
OSI Model: Presentation Layer
• The Presentation Layer is the operating system. When a user uses

an application at the Application Layer, the Application Layer
interacts with the Presentation Layer in order to display data.
• E.g. ASCII (for representing data as text)
OSI Model: Presentation Layer
At the presentation layer is the Operating System itself. When a user interacts with an application at the Application Layer, the application itself interacts
with the presentation layer for displaying data.
||||||||||||||||||||
||||||||||||||||||||
OSI Model: Session Layer
• The Session Layer handles the creation and maintenance of

sessions between the Presentation Layer and other computers
• A user browsing the Internet interacts with the Application Layer.
The Application Layer interacts with the Presentation Layer, and
the Presentation Layer interacts with the Session Layer to interact
with the web server.
OSI Model: Session Layer
The session layer handles the creation and maintenance of sessions between the Presentation Layer and other computers. For example, a user browsing the
Internet with a web browser interacts with the Application Layer. The application layer interacts with the presentation layer, and the presentation layer
interacts with the session layer which interacts with the web server to establish a session.
Technet24
||||||||||||||||||||
||||||||||||||||||||
OSI Model: Transport Layer
• The Transport Layer controls what and how much data is sent over
an established session
OSI Model: Transport Layer
The transport layer controls what and how much data is sent over an established session.
||||||||||||||||||||
||||||||||||||||||||
OSI Model: Network Layer
• The Network Layer is responsible for where a ‘packet’ of data is

sent and where it originates
• Routers operate on the Network Layer
OSI Model: Network Layer
The network layer is responsible for where a ‘packet’ of data is sent and where it originates. For example, routers are often classified as a layer three
device because they operate on the network layer.
Technet24
||||||||||||||||||||
||||||||||||||||||||
OSI Model: Data Link Layer
• The Data Link Layer is responsible for transmitting data between

two directly connected nodes. This is done through MAC
Addresses.
• Also responsible for error checking
• Switches operate on the Data Link Layer
OSI Model: Data Link Layer
The data link layer is responsible for transmitting data between two directly connected nodes. This is done through the use of MAC addresses (hardware
addresses). The data link layer is also responsible for error checking. For example, switches operate at layer 2 (data link).
||||||||||||||||||||
||||||||||||||||||||
OSI Model: Physical Layer
• The Physical Layer is represented by the physical cables that make

up a network and the electrical signals that pass over them
• Could also be Wireless signals (radio waves)
OSI Model: Physical Layer
The physical layer is represented by the physical cables (or radio waves) that make up a network and the electrical signals that pass over them.
Technet24
||||||||||||||||||||
||||||||||||||||||||
IP Addresses
• An IP Address or Internet Protocol Address is a label assigned to a

computer on a network that identifies it. It also defines its location
on the network.
• There are two versions, IPv4 and IPv6
• IPv4 is easier to read, but has a limited address space. We’re
running out of these!
• IPv6 is more recent, and gaining traction. It can look intimidating,
but the address space is large enough that trillions of IP addresses
could be assigned to every human on the planet.
IP Addresses
IP Addresses or Internet Protocol Addresses are the naming scheme of the Internet. They identify both the computer and its location on a particular
network. There are two types of addressing schemes.
The original was IPv4, and it is still widely used today. However, the problem is that it was never designed for the volume of computers that exist today.
Thus, we are rapidly running out of IPv4 addresses. To get around this issue, NAT (Network Address Translation) was developed, with certain IP ranges
designated as private IP address ranges. With NAT an entire LAN can use a single public IP address to access the Internet. This has helped up stave off
running out of IPv4 addresses, but with the development of IPv6 this problem is less pressing.
IPv6 is newer and is slowly gaining traction. It looks intimidating because the addresses are significantly longer than IPv4, so many people are reluctant to
use it. However, there are enough potential IP addresses in the IPv6 range to assign an IP address to every single atom on the surface of the earth - and still
not run out.
||||||||||||||||||||
||||||||||||||||||||
IP Addresses: IPv4
• IPv4 Format: XXX.XXX.XXX.XXX

• 8 bits separated by ‘dots’, 32 bits in total
• E.g.: 192.168.0.1
IP Addresses: IPv4
The IPv4 Format is: XXX.XXX.XXX.XXX
Each section separated by ‘.’s is represented by 8 bits (1 byte). In total, the IPv4 address range is represented by 32 bits. An example of an IPv4 address:
192.168.0.1.
Technet24
||||||||||||||||||||
||||||||||||||||||||
IP Addresses: IPv6
• IPv6 Format:
XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX
• 16 bits separated by colons, 128 bits in total
• E.g.: FE80:0000:0000:0000:903A:1C1A:E802:11E4
• Can be shortened by reducing one row of zeros to ::
• E.g.: FE80::903A:1C1A:E802:11E4
• Only one row of zeros can be shortened
• Other blocks of zeros can be shortened using :0
• E.g.: FE80:0000:0000:0000:903A:0000:0000:11E4
• To: FE80::903A:0:0:11E4
IP Addresses: IPv6
IPv6 can be tricky because of the format. There are shorthand ways to write it because it’s just so long…
Here are the rules:
If there are a series of 0s all in a row, you can shorten them to :: but only for one row. If it was broken up into two rows of 0s, only one of those rows could
become ::.
FE80:0000:0000:0000:903A:1C1A:E802:11E4 could become FE80::903A:1C1A:E802:11E4
Because 0000:0000:0000 is consecutive, it can be shortened to ::
If instead we had FE80:0000:AABB:0000:903A:1C1A:E802:11E4 then we could shorten it to either FE80::AABB:0000:903A:1C1A:E802:11E4 or

FE80:0000:AABB::903A:1C1A:E802:11E4
Other blocks of 0s can be shortened using :0
Taking our previous example of FE80:0000:AABB:0000:903A:1C1A:E802:11E4, we could shorten it using the above rule to:
FE80::AABB:0000:903A:1C1A:E802:11E4
We can then shorten it even further to: FE80::AABB:0:903A:1C1A:E802:11E4
||||||||||||||||||||
||||||||||||||||||||
IP Addresses: Private Addressing
• A private IP Address is only accessible on an internal network

• Blocks of IP Addresses are reserved for this usage
• On IPv4 the reserved addresses are:
• 10.0.0.0 – 10.255.255.255 : Class A Network
• 172.16.0.0 - 172.31.255.255 : Class B Network
• 192.168.0.0 - 192.168.255.255 : Class C Network
• We can see a portion of the address is reserved for identifying the
network. The rest is reserved for identifying the computer.
• E.g. In a Class A Network, the first byte is reserved for the network
identifier. The rest is the host identifier.
IP Addresses: Private Addressing
A private IP address is only accessible on the local network. Blocks of IP addresses have been reserved for this purpose. On IPv4 The reserved addresses
are:
10.0.0.0 – 10.255.255.255 : Class A Network

172.16.0.0 - 172.31.255.255 : Class B Network
192.168.0.0 - 192.168.255.255 : Class C Network
Technet24
||||||||||||||||||||
||||||||||||||||||||
IP Addresses: Public Addressing
• A public IP address identifies devices that are connected to a WAN:

most commonly routers which connect to the Internet
• The reason we have private and public IP Addresses is because we
are running out of IPv4 Addresses
• As a temporary fix, NAT or Network Address Translation was
developed. This allows one public IP address to be assigned to a
router.
• The router then accepts the data and decides where to send it on
the internal network using a private IP address
IP Addresses: Public Addressing
A public IP address identifies devices that are connected to a WAN. Most commonly these devices are routers that are connected to the Internet. On a local
network, each device will have its own private IP address. When they communicate with the Internet, however, if all those devices share one Internet
connection then they will all share the same public IP address.
The reason there is a distinction between private and public IP addresses is simply that we started to run out of public IP addresses. There aren’t enough for
every single computer connected to the Internet to have its own public IP address. To get around that, certain IP addresses were reserved as private IP
addresses. These aren’t addressable over the Internet, but they are addressable over the LAN. Network Address Translation (NAT) is then used to translate
public IP addresses to private IP addresses. This allows multiple computers to share one public IP address, but they can still communicate on the local
network with different private IP addresses. This has allowed the IPv4 address range to stretch farther than it would have originally, but the lack of address
space is still a growing problem which should have been resolved with the implementation of the IPv6 protocol, if it were not for the low adoption rate.
||||||||||||||||||||
||||||||||||||||||||
IP Addresses: Netmask
• On IPv4, the netmask tells us which part of the IP address is the

network identifier and which part is the host identifier
• As an example, take a network: 10.0.0.0 – 10.255.255.255
• The netmask would be: 255.0.0.0. This indicates the first byte is
the network identifier and the rest is the host identifier.
• Can also be written in CIDR notation as shorthand
IP Addresses: Netmask
IP Addresses are split up into two sections: the first section is the network identifier, and the second section is the host identifier. The network identifier
tells us which network the traffic is destined for, and the host identifier tells us which computer on the network the traffic is destined for.
Here’s the confusing part: the size of the network identifier and the size of the host identifier can change depending on the size of the network. To work out
which is which, we have to use the netmask. An IPv4 Address has four bytes, and so does a netmask. In the example of a network, such as 10.0.0.0 –
10.255.255.255, the first byte is the network identifier. The rest is the host identifier. So we write the netmask as: 255.0.0.0. We can also use CIDR
notation to write the netmask in shorthand.
Technet24
||||||||||||||||||||
||||||||||||||||||||
IP Addresses: CIDR (1)
• CIDR Stands for ‘Classless Inter-domain routing’

• It is a shorthand way of writing a netmask
• Take a network: 10.0.0.0 – 10.255.255.255
• The first byte is the network identifier, the other 3 bytes are the
host identifier
• 1 byte is 8 bits
• The network can be written as: 10.0.0.0/8
• Colloquially a ‘slash 8’ network
CIDR is a way of representing the netmask in shorthand. Essentially you write a / and then put in the number of bits in the network identifier after the /. So
for a netmask of 255.0.0.0, the first byte is the network identifier. A byte is 8 bits and therefore a the network is a /8 network.
||||||||||||||||||||
||||||||||||||||||||
• Essentially, the number of bits in the network identifier comes after

the slash
• Look at some more examples:
• For the network: 172.16.0.0 – 172.31.255.255, the first 12 bits are
the network identifier. So in CIDR: 172.16.0.0/12
• For the network: 192.168.0.0 – 192.168.255.255, the first 16 bits
are the network identifier. So in CIDR: 192.168.0.0/16
Remember each of the four sections in an IPv4 address is represented by 1 byte or 8 bits. So for example with the IP address: 192.168.0.1, everything
before the first ‘.’ is represented by 8 bits, the next section is 8 bits, the one after that is 8 bits and the final section is also 8 bits. With CIDR, all you’re
doing is saying how many bits form the network identifier.
So for 192.168.0.0/16 all you’re saying is that the first 16 bits is the network identifier. That’s the first two sections of the IPv4 address field (the 192.168).
The rest belongs to the host identifier.
Technet24
||||||||||||||||||||
||||||||||||||||||||
IP Addresses: Broadcast
• A broadcast address is an IP address on a local network reserved

for the purpose of ‘broadcasting’ data to every node on the local
network
• Usually it will be at the largest possible address in the network
• Data sent there will be sent to all other computers. This is
important for ARP which is featured in the next few slides.
• Example of a broadcast address: 10.255.255.255
IP Addresses: Broadcast Address
The broadcast address is an IP address on a local network reserved for ‘broadcasting’ data to every node on that local network. Usually the largest possible
address is reserved for the broadcast address - however this is not always the case.
The broadcast address can be manually changed. When the Switch receives data destined for the broadcast address, it will know to send it to all computers.
Similarly over Wi-Fi, or on a Hub, data will be sent to all connected computers anyway - however those computers that receive data that was destined for
the broadcast address will know not to discard the data packets.
||||||||||||||||||||
||||||||||||||||||||
MAC Addresses
• A MAC address or ‘Media Access Control’ address is an address

which identifies a network interface on a local network
• Also known as a ‘hardware’ address because the address is burned
into the network card
• To send data on a local network, both the local IP address and the
MAC address must be known
• We use ARP to map IP addresses to MAC addresses
MAC Addresses
A MAC address or ‘Media Access Control’ address is an address that is assigned to a network interface card. Each MAC address is unique to the card and
is physically burned into the card. The MAC address identifies computers on a local network, even more so than IP addresses do. This is because IP
addresses can change, whereas MAC addresses always stay the same. Of course MAC addresses can be spoofed and changed that way, but in the normal
course of operations they should never change.
Technet24
||||||||||||||||||||
||||||||||||||||||||
ARP (1)
• ARP or ‘Address Resolution Protocol’ is a way of mapping IP

addresses to MAC addresses on a local network
• Imagine two computers on a local network: 192.168.0.5 (Computer
A) and 192.168.0.10 (Computer B)
• Computer A wants to send some data to B. It already knows the IP
address, so it now needs to know Computer B’s MAC address
• Computer A first looks at its ARP table, which caches results. If
Computer B’s MAC address is not cached in its table, it will send a
‘broadcast’ to the local network asking if anyone knows the MAC
address of 192.168.0.10.
ARP (1)
Address Resolution Protocol is a network protocol designed to map IP addresses to MAC addresses on a local network.
If a computer needs to communicate with another on the local network, it will first look in its ARP table to see if it has cached, or stored, the MAC address
for that IP address. If the result hasn’t been cached, then the computer will send an ARP request to the broadcast address of the local network.
Every computer on that local network will get the ARP request asking if anyone knows what the MAC address is for the IP address in question. The
computer at that IP address will send an ARP response packet to the computer that sent the request, informing the computer of its MAC address.
The computer which sent the request will then cache the result in its ARP table for future reference.
||||||||||||||||||||
||||||||||||||||||||
ARP (2)
• If any computer has it in their table, or if Computer B gets the

broadcast, they can reply with B’s MAC address. Once Computer A
has B’s MAC address, A will first store it in its ARP table for future
reference. Then it will send the data over.
• The Switch will get the data and look at the IP address and the
MAC address. If it can tell by the IP address that B is on the same
network, it will use the MAC address to tell it where to send the
data.
ARP (2)
Technet24
||||||||||||||||||||
||||||||||||||||||||
DNS (1)
• DNS or ‘Domain Name System’ is a way of discovering IP addresses

• A domain name is just a human readable name which corresponds
to an IP address
• You don’t want to search on google by typing: 216.58.213.142 into
your browser
• Instead you type in google.com
• Your computer performs a DNS lookup to the DNS server you have
set on your computer
DNS (1)
DNS or Domain Name System is a way of mapping IP addresses to more memorable domains (such as google.com). The Internet would be almost
unusable if everyone had to remember numbers to navigate their way around. It would be even worse with IPv6. This is where DNS comes in. DNS allows
us to translate domain names into IP addresses, and IP addresses into domain names.
When you enter google.com into your browser, your computer looks at the DNS server assigned to your computer in the network configuration. It sends a
DNS query to that server asking for the IP address of google.com. If the query is cached, the DNS server will respond. If it isn’t cached, the DNS server
will need to look it up. It will first query the Top Level Domain of the domain name. This is the bit that comes after the final ‘.’ such as ‘.com’. It will look
at the DNS servers that are authoritative for ‘.com’. Those domain name servers will respond with the IP address of the domain name servers that are
authoritative for google.com. Then another DNS query will be sent to the google.com DNS servers which will respond with the IP address for google.com.
DNS is a very robust system designed to account for constant change in the structure of the Internet. Although it seems like there are a lot of queries just to
get to a single IP address, it is designed like this so that the loss of any one DNS server will not affect large swathes of the Internet.
||||||||||||||||||||
||||||||||||||||||||
DNS (2)
• Your DNS server receives the query and breaks down the domain
name. Google.com ends in ‘.com’ so it looks at the DNS servers for
.com (The Top Level Domain or TLD servers).
• The DNS server for the TLD will return back the IP address of the
DNS server for google.com
• The next query will be sent to the domain’s DNS server, which will
respond back with the IP address
• Your browser will now know which IP address to send the request
for the web page to
DNS (2)
When your DNS server receives a query for a particular domain (take google.com for example), it first breaks down the domain into two parts. Everything
after the ‘.’ is the TLD or Top Level Domain. In our example of google.com the TLD is .com.
Your DNS server will then query the DNS servers that are authoritative for the ‘com’ TLD, asking for ‘google.com’. The ‘com’ DNS servers will respond
with the IP addresses of the authoritative DNS servers for google.com. Then your DNS server will query those DNS servers asking for ‘google.com’ and
they will respond with the IP address of google.com.
Technet24
||||||||||||||||||||
||||||||||||||||||||
DNS: Reverse Lookup
• The previous example is known as a ‘forward lookup’. You know

the domain name, and you want to find out the IP address.
• It is also possible to perform a ‘reverse lookup’, where you know
the IP address, but want to find the domain name
• This uses a pointer record where the IP address is added to the
domain ‘.in-addr.arpa’. E.g. 216.58.213.142.in-addr.arpa
• The DNS record is set up to point to the domain name. E.g.
google.com
• Since the IP address is known, a DNS query can be made against
216.58.213.142.in-addr.arpa to find the domain name
DNS: Reverse Lookup
Thus far, we have looked at how a ‘forward lookup’ works. That is, translating a domain name into an IP address. We can also perform a ‘reverse lookup’,
which is the process of translating an IP address into a domain name. Doing this requires a pointer record to have been set up. This involves adding a DNS
record of the IP address and adding ‘.in-addr.arpa’ to the end of it. This makes a domain name of a sort. The pointer record should point to the domain
name that belongs to the IP address.
By doing this, reverse lookups become possible - because if you know an IP address you can simply add ‘.in-addr.arpa’ to the end of it, and look up the
DNS record to find the domain name that the IP address belongs to.
||||||||||||||||||||
||||||||||||||||||||
DHCP
• DHCP stands for Dynamic Host Configuration Protocol

• It is a protocol which allows computers to automatically configure
network settings upon joining a network
• It requires a DHCP server to be running on the network. Usually the
Switch handles it
• The DHCP server has a pool of IP addresses it can lease to clients that
join the network
• The DHCP lease will expire periodically and a new IP address may be
given to clients on the network when it does
• DHCP will configure the IP address, netmask, gateway address and
DNS server settings for clients on the network automatically
DHCP
DHCP or Dynamic Host Configuration Protocol is a network protocol which can allow computers that join the network to automatically configure their
network settings upon joining a network. The way it works is the DHCP server has a pool of IP addresses it can lease to clients joining the network. Once it
leases an IP address to a client it removes it from the pool to avoid IP address conflicts. Each IP address assigned is leased and set to expire after a set
duration. Once the lease expires, the client may be given a different IP address. The DHCP server will automatically configure a client’s IP address,
netmask, gateway address and DNS servers.
Be careful of ‘rogue’ DHCP servers, which is where there is more than one DHCP server running on a network by mistake. In this case, there will be two
pools of IP addresses and they won’t be in sync - so you may start to get IP address collisions.
The opposite of DHCP is when you configure the network settings of a client yourself. This may be more convenient in some circumstances, particularly
where you are dealing with servers which always need to have the same IP address. Just make sure you don’t assign an IP address that is part of your
DHCP pool, otherwise you may start to see IP address collisions.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Packets (1)
• A unit of data that is sent over a network

• Made up of the ‘header’ and the ‘payload’
• The header contains control information such as the source
address and destination address of that packet
• The payload contains the data that is being transmitted
Packets (1)
We’ve talked a lot about sending ‘data’ so far. Data is transmitted as ‘packets’ over a network. Packets tend to be small, so most data is broken up into
chunks in preparation for transmission over the network. Each data packet contains a ‘header’ and a ‘payload’. The header describes the packet, where it
has come from, where it’s going, how far it can go before it expires, the sequence number if the data was split up - that sort of thing. The payload is the
data that is sent in the packet.
||||||||||||||||||||
||||||||||||||||||||
Protocols
• A Protocol is a set of rules for communication

• The English language is a protocol
• An example of a Network Layer protocol is ‘TCP’ or ‘Transmission
Control Protocol’
• In the TCP protocol, to establish a session between computers first
the sender must contact the receiver to communicate that it wants
to establish a connection
• The receiver confirms, then the sender confirms. After that the
session is established and data can be sent
• More on this later on…
Protocols
A protocol is a defined set of rules for communication. Similarly as with people, computers need to know how to speak the same language before they can
communicate. We can use TCP as an example.
TCP stands for ‘Transmission Control Protocol’, which is a network layer protocol. In TCP, the computer initiating the connection contacts the receiver
and sends a SYN (synchronise) packet which indicates it wants to establish a connection. The receiving computer receives the SYN packet and responds
with a SYN ACK (synchronise-acknowledge) packet.
The sender then responds with an ACK (acknowledge) packet and the session is then established. Data is sent, and when the connection is to be terminated
one side will send a FIN (finish) packet. The other side will then send a FIN ACK in response, and finally the sender will send an ACK and the connection
will be closed. This is the ‘language’ of TCP.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Ports (1)
• A Port is a number which corresponds to a communications

channel
• Ports separate network communication so there is no confusion as
to what data is meant for what application
• If an application is ‘listening’ on a port, that means it is accepting
data sent only to that port
• Only one application can listen on a specific port at a time
• Available ports range from 1 – 65535
Ports (1)
A port is essentially a communications channel. Each channel is numbered, and no two applications can listen on the same port. Ports are used to separate
out network traffic destined for separate applications that are running on a computer. For example, you may have a web server and a VMware server
running on the same computer. The web server will accept traffic coming in on ports 80 and 443 – meanwhile, the mail server may accept incoming
connections on port 25. It would be confusing if a web server was receiving traffic meant for the e-mail server and vice versa, which is why ports are so
important. They separate out traffic, so that only the application that needs that data will receive it.
Often the notation: 127.0.0.1:80 is used to write port numbers. The first part is the IP address, the colon separates the IP address from the port number, and
finally there is the port number.
||||||||||||||||||||
||||||||||||||||||||
Ports (2)
• Some common ports:

• Port 21 – File Transfer Protocol (FTP)
• Port 25 – Simple Mail Transfer Protocol (SMTP)
• Port 80 – Hypertext Transfer Protocol (HTTP)
• Port 443 – Hypertext Transfer Protocol Secure (HTTPS)
Ports (2)
Here are some common ports:
• Port 21 – File Transfer Protocol (FTP)

• Port 25 – Simple Mail Transfer Protocol (SMTP)
• Port 80 – Hypertext Transfer Protocol (HTTP)
• Port 443 – Hypertext Transfer Protocol Secure (HTTPS)
Of course, those are just the ports that are used by default. In many applications you can customise the port that the application listens to. For example, it is
common practice to run a webserver on port 8080, if you already have one on port 80 on the same computer.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Packets (2)
• In packets, the two most commonly used Transport Layer protocols

are:
• TCP (Transmission Control Protocol)
• UDP (User Datagram Protocol)
• There are other protocols but we will focus on these in particular…
Packets (2)
In packets, the two most commonly used Transport Layer protocols are TCP (Transmission Control Protocol), and UDP (User Datagram Protocol). There
are other protocols, but our focus will be primarily on these two.
||||||||||||||||||||
||||||||||||||||||||
TCP/IP Model (1)
• Similar to the OSI Model with some minor differences

• Not just for TCP or IP: applies to all communications protocols
used on the Internet
• Called the TCP/IP model after the first two protocols defined
during its development
• Some layers in the OSI model have been merged into one layer
• The layers perform the same functions but are combined
TCP/IP Model (1)
The TCP/IP model is similar to the OSI model. It’s actually not just for TCP or IP: it also applies to other communications protocols. It’s only called
TCP/IP because those were the first two protocols defined using it when the model was developed. It contains the same basic elements as the OSI model,
but some of the layers have been combined.
Technet24
||||||||||||||||||||
||||||||||||||||||||
TCP/IP Model (2)
TCP/IP Model (2)
Here we can see the TCP/IP model has merged the responsibilities of the Application, Presentation and Session layers into the Application layer. Similarly
the Data Link Layer and Physical Layer have been merged into the Network Access Layer. The functions they perform at every stage remain the same; it’s
just that they have been grouped up.
||||||||||||||||||||
||||||||||||||||||||
Application Layer Protocols
• Application Layer Protocols deal with the format the payload data
of a packet will be in so it can be understood by the recipient
application
• Examples of Application Layer Protocols:
• HTTP
• DNS
• SMTP
• SMB
Application Layer Protocols
At the application layer we are dealing with the contents of the data packet and not any of the headers. At the application layer, the data sent in the packet
payload needs to be in the correct format to be understood by the application on the receiving end. This format is usually called the Application Layer
Protocol. Examples of that would be HTTP, DNS, SMTP, SMB or FTP.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Transport Layer Protocols
• Transport Layer Protocols provide host to host communication

services for the Application Layer
• This may (but not always depending on the protocol) include
services such as reliability, error-checking, flow control, same-
order delivery, etc.
• We’ll look at some of these protocols in depth now…
Transport Layer Protocols
The transport layer protocol is the protocol that deals with how two computers communicate. Depending on the protocol, this can involve reliability
checking, error checking, flow control, same order delivery and various other features. Examples of transport layer protocols include TCP and UDP.
||||||||||||||||||||
||||||||||||||||||||
TCP Protocol
• The TCP Protocol is a protocol which allows for reliable delivery of

data across a network
• TCP Packets are error-checked and re-transmitted if the validation
fails
• TCP Packets are ordered and can be re-assembled into the correct
order by the recipient
• TCP Packets are numbered according to a sequence, so the
recipient can tell if a packet failed to reach its destination and can
request the packet be re-sent
TCP Protocol
The TCP protocol is a protocol that allows for reliable delivery of data across a network. Some of the main features of the TCP protocol include:
Error checking – TCP packets are checked for errors that were introduced into the packet during transmission. If the error-checking fails it indicates the
data packet was corrupted in transit and needs to be re-transmitted.
Ordering – TCP packets are ordered so that they can be re-assembled in the correct order by the recipient.
Re-delivery – TCP packets are numbered according to a sequence. If one packet is missing because it was dropped in transit, then the recipient knows and
will ask for that particular packet to be re-transmitted.
All in all, the TCP protocol is a reliable communications method in that it makes sure that all the data gets to the destination. However, all these features
means the protocol itself has a high overhead and is considered relatively slow – and so not appropriate for all applications.
Take video chat for example: With video chat, frames in the video are transmitted over the Internet. Each frame is a still image and each image is played on
the monitor at a fast rate, typically more than 30 frames per second. This gives the impression of a moving picture. The TCP protocol is not a good fit for
this kind of application. First of all, TCP is quite a slow protocol so those with a slower connection will notice much more latency than they would if the
video chat application communicated over UDP, but the main reason is that re-transmission is unnecessary. In TCP, if a few packets were to drop, then
everything would pause until those packets could be re-transmitted. In a video chat application, dropped packets means dropped frames. Would you notice
if 2 frames out of 30 were dropped from the video? Unlikely. Would you want the video to pause until those two frames could be re-transmitted when you
wouldn’t even notice if they weren’t there? It wouldn’t be a very good design choice.
Technet24
||||||||||||||||||||
||||||||||||||||||||
TCP Header
TCP Header
Here we have the TCP header protocol. The header is added to the payload from the application layer. This is known as encapsulation.
Notice how there is no destination IP address here: that is not handled at the network layer.
However, everything here is related to some function of the TCP protocol.
• Source Port – Which port sent the data. This is usually randomly generated for the sender from a list of available ports. These are usually known as
‘ephemeral’ ports.
• Destination Port – Which port the data is going to.
• Sequence Number – When the first SYN is sent, a random sequence number is generated. When it receives a SYN-ACK in response, the sequence
number will be the same as it was when the SYN was sent.
• Acknowledgement Number – This value is the sequence number incremented by 1. It indicates that the first SYN was received and that the
recipient knows the sequence number to establish the connection.
• Header Length – The size of the TCP header.
• TCP Flags – These flags are used to determine what type of TCP packet is being sent. For example, SYN, SYN-ACK, FIN, RST, etc.
• Window Size – Window Size is used in flow control to make sure that the number of packets don’t overwhelm the network or the recipient.
• TCP Checksum – The checksum is used to validate if the data was corrupted in transit. If the checksum fails then the packet must be retransmitted.
• Urgent Pointer – A pointer that can be used to mark a section of data in the packet’s payload as urgent.
• TCP Options – Other TCP options can be set here, but we won’t be going into them.
||||||||||||||||||||
||||||||||||||||||||
TCP Handshake
SYN: seq = 55
SYN-ACK: ack = 56, seq = 111
ACK: ack = 112, seq = 56
TCP Handshake
This is an example of a TCP handshake for setting up a connection between two computers.
The client sends a SYN packet to the server. The sequence number is randomly generated. Let’s use 42 for our example.
The server then responds with a SYN-ACK packet. The sequence number stays the same, in this case 42. The acknowledge number will be 42 + 1 = 43.
The client then responds with an ACK packet, incrementing the sequence number. So the sequence number will be 43 and the acknowledgement number
will also be 43.
After that, the connection is considered to be established and data can be sent.
Technet24
||||||||||||||||||||
||||||||||||||||||||
TCP Teardown
TCP Teardown
The teardown is the opposite of the handshake. It’s used for closing a connection. Here the client sends a FIN packet to the server to initiate the teardown
procedure. The server responds with a FIN-ACK. The client responds with an ACK, and the connection is considered to be terminated.
||||||||||||||||||||
||||||||||||||||||||
TCP Reset
• If there is a problem with the connection, then the connection may

not be torn down gracefully
• In this instance a RST or Reset packet is sent which terminates the
connection immediately
• This can happen if a port is closed and you are trying to connect to
it;
• Or if the connection is tearing down gracefully but an ACK is lost
• There are many other occasions when the connection can be
forcefully closed
TCP Reset
The TCP Reset packet is used to forcefully teardown a connection from one side. This usually happens if there’s a problem with the connection. Either side
can send an RST packet to end the connection immediately.
Technet24
||||||||||||||||||||
||||||||||||||||||||
UDP Protocol
• The UDP Protocol is a connection-less protocol which prioritises

speed over reliability
• No error-checking
• Packets that don’t reach the destination are ignored, no re-
transmission occurs
• Best for real-time applications such as video streaming where one
missing frame is not noticed, and re-transmission doesn’t make
sense
• Imagine waiting for one video frame to be re-transmitted in a video
chat!
UDP Protocol
The UDP protocol is a connection-less protocol which prioritises speed over reliability. This means that there is no handshake or teardown procedure. There is
a checksum, but if it fails then there is no request for re-transmission. Essentially, there is no guarantee that UDP packets will ever get to their destination.
UDP is the preferred protocol for applications where speed is the priority over reliability. Such applications include things like video chat, where a dropped
packet means a skipped frame on the video but there is no time to re-transmit it.
||||||||||||||||||||
||||||||||||||||||||
UDP Header
UDP Header
Here we have a UDP header. Again, note that there is no destination IP address. That is not handled at the network layer.
There is a UDP checksum, which is used to determine if a packet was corrupted in transit or not – though such packets are only discarded and not re-
transmitted.
Note also that there are no sequence numbers or acknowledgement numbers. That is because there is no sequence: UDP does not re-order packets or check
for dropped packets, so sequence numbers are not necessary.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Ports (3)
• Given the differences between TCP protocols and UDP protocols,

each computer actually has two sets of port ranges
• There are 1 – 65535 TCP ports
• Also 1 – 65535 UDP ports
• You can have one application listening on TCP Port 80 and also one
application listening on UDP Port 80
• Despite having the same number, the two ports are separate
Ports (3)
TCP and UDP ports are separate from each other. You can have an application listening on TCP port 80, and a different application listening on UDP port
80 without a clash.
||||||||||||||||||||
||||||||||||||||||||
Internet Layer
• Internet Layer Protocols are responsible for transmission of data

packets across network boundaries
• Determines the next ‘hop’ on the route to the final destination
• Accepts incoming packets and passes them to the Transport Layer
• An example of an Internet Layer Protocol is Internet Protocol
• Another example would be ICMP
• There are others, but we will only cover these two
Internet Layer
At the Internet layer, protocols deal with transmission of data packets across network boundaries. That usually means from the local network out onto the
Internet. The Internet layer is responsible for determining the next ‘hop’ on the route to the packet’s destination.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Internet Protocol
• The Internet protocol header is added after the transport protocol

header
• You may have noticed when we were looking at the Transport
Layer protocols that they didn’t have anything about IP Addresses
• Let’s look at the headers for IPv4 and IPv6 and how they combine
with Transport Layer Protocols
Internet Protocol
The Internet protocol layer is the part of the header that deals with IP addresses. You likely noticed that in the Transport Layer there were no fields for a
source or destination IP address. That is because the layer that handles that is the Internet Layer. IPv4 has its own header, and IPv6 similarly has its own
header.
||||||||||||||||||||
||||||||||||||||||||
IPv4 Header
IPv4 Header
The IPv4 header is responsible for getting the packet to the final destination. Let’s go through some of the fields here:
• Version – Is the header for an IPv4 packet or IPv6. It’s IPv4 if the value in the Version field is ‘4’.
• IHL – Internet Header Length. An IPv4 header is of variable length depending on what options are set, so you have to tell it how long the header is
here. The minimum is 20 bytes, the maximum is 60 bytes.
• Total Length – This field defines the entire packet size including the network layer header and the payload data.
• Identification – When a packet grows too large it is split up or ‘fragmented’ into separate packets. Each of those fragmented packets will have the
same identification value so the computer knows they were originally one packet.
• Flags – These flags are used to control fragmentation. Usually no flags are set, but if the DF (Don’t Fragment) flag is set then the packet can’t be
fragmented, and if it can’t be sent without being fragmented then the packet is dropped instead. The MF (More Fragments) flag on the other hand
indicates that the packet has been fragmented and to expect more fragments to come in. All fragmented packets have the MF flag set except for the
last packet.
• Fragment Offset – This specifies where in the original packet the data in a fragmented packet was located. This helps when fragmented packets
must be re-assembled.
• Time To Live (TTL) – The TTL is the number of hops left in the packet before it expires. The TTL is decremented at every hop. This prevents
transmission loops where data packets keep going endlessly.
• Protocol – The protocol used in the network layer. For example, TCP, UDP, OSPF, etc.…
• Header Checksum – This is used for error checking of the packet’s header.
• Source Address – The IP address of the sender.
• Destination Address – The destination IP address.
Technet24
||||||||||||||||||||
||||||||||||||||||||
• Options – Not frequently used, but if it is used you must update the IHL field.
||||||||||||||||||||
||||||||||||||||||||
IPv6 Header
IPv6 Header
Similar to the IPv4 header, but it has a fixed length this time. It has also been greatly simplified.
• Version – The version of the IP protocol being used. For IPv6 it’s 6 (surprise!).
• Payload Length – The length of the payload including any other headers such as TCP headers.
• Next Header – Specifies the type of the next header. This is usually a protocol such as TCP.
• Hop Limit – Like the TTL from IPv4, it indicates how many hops left before the packet expires.
• Source Address – The IP address the packet came from.
• Destination Address – The IP address the packet is going to.
Technet24
||||||||||||||||||||
||||||||||||||||||||
ICMP
• Internet Control Messaging Protocol (ICMP) is used to send

messages about errors in Internet Protocol operations
• Can be confusing as although it is considered an Internet Layer
protocol it is used in conjunction with Internet Protocol
• A ping packet is typically (but not always) an ICMP packet.
Specifically an ICMP Echo Request.
ICMP
The ICMP protocol is classified as an Internet layer protocol, but it must be used with Internet Protocol. It is a protocol used to send messages about errors
in Internet Protocol operations.
We typically most see ICMP being used in ping packets. A ping packet is an ICMP Echo Request which is used to judge if a host is online or offline.
||||||||||||||||||||
||||||||||||||||||||
ICMP Header
• Note that there is no source or destination IP information here

• It is necessary to use it in conjunction with the Internet Protocol
ICMP Header
Here we have an example of an ICMP header. Notice there is no IP information here. Although it’s also an Internet layer protocol, it still must be used with
Internet Protocol. Let’s go through some of the fields.
• Type – The type of ICMP control message to send (see below for the list).
• Code – The subtype of ICMP control message to send (see below for the list).
• Checksum – Error checking.
• Rest of Header – Varies depending on the type and code of the ICMP packet.
Here are a few ICMP packet types and codes:
Type 0 Code 0 – Echo Response

Type 3 Code 0 – Destination Network Unreachable
Type 3 Code 1 – Destination Host Unreachable
Type 8 Code 0 – Echo Request
Type 11 Code 0 – TTL Expired in Transit
Technet24
||||||||||||||||||||
||||||||||||||||||||
Network Access Layer
• Also known as the ‘Link Layer’

• Defines how to use the network to transmit the packet
• Deals with communication within the network rather than between
networks
• Interfaces with the physical hardware, e.g. the Ethernet cable
• Next we’ll look at an Ethernet Frame which is added to a packet at
the Network Access Layer
Network Access Layer
The Network Access Layer or Link Layer is used to define how a network will transmit the packet. This layer deals with internal network communication,
as opposed to the Internet Layer which deals with data transmission across networks. The Network Access Layer interfaces with physical hardware. It is at
this layer that MAC addresses are added to the packet. An example of a Link Layer protocol is Ethernet.
||||||||||||||||||||
||||||||||||||||||||
Ethernet Frame
• Arguably not a protocol, however the Ethernet Frame is added at

the Network Access Layer. This handles packet transmission within
a network.
• Note the Source and Destination MAC Addresses
• Called a Frame because both a Header and a Footer are added
Ethernet Frame
The Ethernet Frame is added at the Network Access Layer. It handles packet transmission within the network. Here we can see the destination and source
MAC addresses have been added to the packet, and also a footer. This is the reason it is called an Ethernet Frame, and not an Ethernet Header, because it
consists of a header and a footer both.
Technet24
||||||||||||||||||||
||||||||||||||||||||
TCP/IP Model – Putting it All Together (1)
• Data moves from the top level of the TCP/IP Model down the stack
• As data moves down the stack, new headers are added. This
process is known as ‘encapsulation’
Data is generated at the Application Layer. It is sent down the stack to the Transport Layer, where a header is added. The data with the Transport Layer
protocol added is then sent down the stack to the Internet Layer where another header is added. That data, with both headers, is sent down the stack further
to the Link Layer where the data is encapsulated further with a Frame. Finally, from the Link layer data is sent to the Physical Layer which would be the
Ethernet cable or Wireless signal that is used to transmit the data to the network.
When the data is received at the Physical Layer of the receiving computer, it works its way up the TCP/IP stack. At each level, the topmost header is
removed. First the Link frame is removed, then the Internet header, then the Transport header and finally the Application will receive the raw data.
||||||||||||||||||||
||||||||||||||||||||
Technet24
||||||||||||||||||||
||||||||||||||||||||
Encoding
Encoding
||||||||||||||||||||
||||||||||||||||||||
Encoding (1)
• Encoding is NOT encryption

• Encoding is the process of converting data from one format to
another
• Primarily used for efficient storage of data or for transmission of
data
• Examples:
• Conversion from Binary to Decimal or vice versa
• Conversion from Decimal to Hexadecimal or vice versa
• Conversion from Decimal to Base64 or vice versa
• ASCII Encoding (Conversion from Binary to Characters or vice versa)
• Many other examples. We will cover some of them…
Encoding (1)
The process of encoding is simply converting data from one format to another. It is not to be confused with encryption. Encoding is primarily used for
efficient storage of data, or for easier transmission of data. We’ve already done some encoding when we were converting binary to decimal and vice versa.
It’s important to remember that a computer only understands binary. So the text you are seeing on the screen is only binary, but it has been encoded into a
format that we can understand. In the case of text, we’re talking about using some form of character encoding such as ASCII (American Standard Code for
Information Interchange) where each binary value maps to a letter in a table.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Encoding (2)
• We’ve already learned about counting systems such as Binary and

Hexadecimal. Conversion between them is considered a form of
encoding.
• One that we didn’t cover is Base64. As it sounds, this counting
system uses 64 as the number base. Utilises a specific character set
from the alphabet, along with symbols.
• We know everything is stored in a computer as a binary value,
which are of course only numbers. So if that’s the case, how do we
work with letters and symbols? The answer is encoding.
Encoding (2)
One form of encoding you’ll see more and more of is Base64. Base64 is a numbering system, like Binary which is Base 2 and Hexadecimal which is Base
16. Similar to the problem we had in Hexadecimal where we didn’t have enough digits to count high enough so we had to use letters, Base 64 uses a
combination of digits, characters and symbols. You can often recognise Base64 encoded data by the ‘=‘ sign at the end, although there isn’t one always
present in many cases there will be one or two. Take ‘hello’ encoded in Base64 as an example: aGVsbG8=
||||||||||||||||||||
||||||||||||||||||||
Encoding – ASCII
• Stands for American Standard Code for Information Interchange

• Effectively a language definition for what numerical values map to
what letters or symbols
• For example, the letter ‘A’ is represented by the decimal value 65 or
the hexadecimal value 41. The letter ‘a’ is represented by the
decimal value 97, or the hexadecimal value ‘61’.
• We have to know that the binary value in memory in the computer
is supposed to be interpreted as text first!
• There are also other standards with different tables such as
Unicode
Encoding - ASCII
ASCII or the American Standard Code for Information Interchange is a form of text encoding where binary values can be mapped to letters and symbols.
Take a capital ‘A’ for example: according to the ASCII table, it has the decimal value of 65 or the hexadecimal value of 41. Of course, in memory
everything is just numbers - so the computer has to know how to interpret the data.
ASCII isn’t the only key encoding used, but it is the most common. There are other types such as Unicode to consider.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Encoding – ASCII Table
Encoding - ASCII Table
Here is a chart of all the ASCII code values and what they map to. For those on a windows PC with a number pad, you can try using these values with ALT
codes. Hold down the ‘ALT’ key and type on the number pad: 65 then release ALT. You will see the capital letter A appear on screen. 65 is of course the
decimal value of a capital ‘A’ in ASCII. Try it again with some other values.
||||||||||||||||||||
||||||||||||||||||||
Encoding – URL
• If you ever typed a URL into your browser with spaces in it, you
may have noticed this
• The URL is changed automatically by your browser and each
instance of a space was replaced with %20
• %20 is the URL encoded form of a space
• Flip back to the ASCII table and look up the [space] entry. In
Hexadecimal, it’s 20
• So the %20 just means the ASCII character that is represented by
0x20 or 20 hexadecimal
Encoding - URL
URL Encoding is a type of encoding commonly seen on the Internet. Browsers will often do this automatically for you so you don’t have to worry about it,
but it’s important to keep it in mind. URL Encoding involves using the % sign to signify that what follows next is a URL encoded value. Let’s take a
‘space’ for example: a ‘space’ can be encoded as %20.
Take another look at the ASCII chart, and look up ‘space’. You’ll notice the hexadecimal value is 20. So that’s all URL encoding is - you can use ASCII
values so long as you precede them with a % sign. You could even URL encode entire links. Look at this link:
https://www.%67%6F%6F%67%6C%65.com
Where does it go? It goes to google.com.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Encoding
• Encoding is often used in conjunction with Encryption. This is

because encryption will often output numerical values with no
ASCII representation. This will appear garbled on a screen.
• By converting the encrypted text into another format such as
Base64 you can go from this:
▒▒GP/C▒CIGs▒▒]▒▒>▒▒J▒H▒5▒▒▒_r▒@▒▒O▒▒
• To this:
4paS4paSR1AvQ+KWkkNJR3PilpLilpJd4paS4paSPuKWkuKWkkri
lpJI4paSNeKWkuKWkuKWkl9y
Encoding
Encoding and encryption often go hand in hand. A form of encoding is usually used to normalise values that come out of the encryption process. Think
about it: if you encrypt some data, you may get numerical values that don’t have an ASCII representation. So how do you see them on the screen? The
answer is you can’t.
What you do see will appear garbled. Some values that appear the same may are actually be different, depending on how values are represented on the
screen when they have no specific ASCII value in the chart. To get around that, we often encode encrypted data in a format such as Base64 which helps
ensure each value has a corresponding ASCII character.
||||||||||||||||||||
||||||||||||||||||||
Encryption
Encryption
Technet24
||||||||||||||||||||
||||||||||||||||||||
Encryption (1)
• Encryption is the process of encoding data in a way that only

authorized parties can read it
• Strong encryption methods are published and reviewed by
mathematicians
• Relying on the method of encryption for secrecy is a bad idea
• Strong encryption relies on a ‘key’. Using the same encryption
method with a different key will have a different result.
• Therefore only someone who has the key can read the message, and
knowledge of the encryption method becomes irrelevant
Encryption (1)
Encryption and encoding are often confused, and with good reason: they are very similar. In fact, encryption is a type of encoding that uses not just the
values you want to change but also a secret key to transform the data into another form. The data cannot be transformed back without knowing both the
process for encryption/decryption and the secret key.
It’s important that you don’t go down the path of using encryption where the encryption process itself is secret, however. Such methods are often highly
vulnerable. Instead, a good encryption algorithm will be one that has been in the public domain for years, even decades. These algorithms will be the ones
that have survived the gauntlet of mathematicians trying to find flaws in them. The only secret should be the key you use, in conjunction with the
encryption algorithm, and not the method for encryption itself.
||||||||||||||||||||
||||||||||||||||||||
Encryption (2)
• Every method of encryption will eventually be broken. As hardware

improves, it will start to become feasible to throw processing power
at encrypted text and get a result within a relatively short
timeframe.
• An example of this is DES encryption. DES encryption came about
in the 1970s. It relied on a 56-bit key (+8 for error checking), and
as of 2006 it could be brute forced in a single day.
• Aside from hardware advances, mathematicians take cracking
encryption as a personal challenge. Sometimes flaws do get found!
Encryption (2)
Every means of encryption will eventually be broken. As hardware improves, it will start to become more and more feasible to break encryption by
throwing processing power at it. This is a brute force method that given the rate of hardware advances will eventually become viable for all forms of
encryption. It’s simply a case of making sure you are using an encryption algorithm that can stand up to modern day hardware.
An example of an old encryption algorithm that has been broken due to hardware advances is DES. DES encryption came about in the 1970s, at the time it
was widely used even by the military. It relied on a 56-bit key (officially it was a 64-bit key, but 8 bits of that were reserved for error checking so in
practice it was 56-bits). As of the year 2006, hardware has advanced far enough that DES can be broken in a single day.
Aside from simply throwing hardware at a problem, encryption algorithms themselves come under scrutiny by mathematicians who take cracking
encryption as a personal challenge. Sometimes flaws that no one realised existed do get found.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Encryption – Symmetric (1)
• Symmetric encryption is a form of encryption where the key is the

same if you are encrypting or decrypting
• E.g. If you encrypt ‘hello’ with the key ‘password’ you will get some
encrypted text. If you then decrypt the result with the key
‘password’ you will get ‘hello’.
• Symmetric key encryption is fast and secure (depending on the
algorithm)
• The problem is key exchange. How do you transmit the key to the
recipient for them to decrypt your encrypted message?
Symmetric Encryption is a form of encryption where the key is the same if you are encrypting or decrypting data. Symmetric encryption is fast and secure
(depending on the algorithm used for encryption of course), but the problem is key exchange. Both parties have to know the shared key. If you send the key
and then the encrypted message, anyone who intercepted the key could read the message. Therefore the key has to be sent out of band using something like
a text message or in person conversation. Even then, it is not 100% secure: the key could be overheard, or text messages could be intercepted.
The problem is exacerbated when you want to talk about automated systems such as HTTPS encryption where the encryption is automatic. There’s no
leeway for out of band communication in those cases.
||||||||||||||||||||
||||||||||||||||||||
• Examples of symmetric encryption:

• AES (Advanced Encryption Standard)
• DES (Digital Encryption Standard, Broken)
• There are many other examples. The strength of the encryption is
related to the algorithm used, and also the key size.
• DES had a 56 bit key, if you don’t count the 8 bits for parity. This is
too easy to brute force on modern hardware.
• AES currently supports a maximum key size of 256 bits (there are
proposals for AES-512 in the works)
• Don’t forget that the key used is a huge factor: if you use a key of
‘password’, don’t expect that no one will be able to guess it
The two aspects that determine the strength of symmetric encryption are firstly the encryption algorithm and secondly the size of the key used. Each
algorithm has a limit to how large the key can be. AES, for example, has a maximum key size of 256 bits (currently). It doesn’t matter how secure the
encryption algorithm is if you use a weak key which can be easily guessed, such as a dictionary word or a small key.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Encryption – Asymmetric (1)
• Asymmetric encryption is a form of encryption where the key used

to encrypt some data and the key used to decrypt the data are
different
• This often takes the form of a public and a private key
• A public key is known to anyone who wants to send you encrypted
data. A private key is only known to whoever is authorised to
decrypt the data.
• Data is encrypted using the recipient’s public key. The encrypted
data is decrypted using the recipient’s private key.
Asymmetric encryption is a form of encryption where the key used to encrypt data is different from the key used to decrypt it. Often we see this in the form
of a public and private key.
The public key is used to encrypt data that is destined for the recipient, while the private key is used to decrypt that data. The public key is shared with
people that you want to be able to message you securely. The corresponding private key is kept privately, and is the only thing which can be used to
decrypt data encrypted with the corresponding public key.
||||||||||||||||||||
||||||||||||||||||||
• A good example of asymmetric encryption would be RSA

• RSA doesn’t stand for anything: the letters make up the first letters
of the surnames of the three creators
• Most famously used in SSL/TLS encryption for HTTPS
• Asymmetric encryption is slower than symmetric encryption
• The other problem is exchange of public keys
• How do you know the public key you have for someone is a
legitimate public key and not someone else’s?
• This problem is most noticeable in PGP or GPG
There are two main issues with asymmetric encryption. Firstly, similar to symmetric encryption the problem is key exchange. In this case, how do we know
the public key we have is definitely the public key for the person we are trying to contact? If you got it in person you could be reasonably certain, but if
you found the public key on a website how can we verify that it belongs to the person we want to contact?
The other problem is speed. Asymmetric encryption has a much higher overhead and therefore is slower. That’s why a combination of asymmetric
encryption and symmetric encryption is used for HTTPS connections.
Technet24
||||||||||||||||||||
||||||||||||||||||||
• PGP stands for Pretty Good Privacy. It’s a standard that aimed to
make encryption common amongst everyone. Unfortunately it
never quite took off.
• It’s asymmetric and uses a public and private key
• The problem was: how do you give your public key to people in safe
way?
• If you put it up on a website, who says that the website wasn’t
compromised, and the key swapped out to one the attacker has?
• The safest way is in-person key exchange, but that is just too
inconvenient
||||||||||||||||||||
||||||||||||||||||||
Encryption – HTTPS (1)
• RSA is used in SSL/TLS encryption to secure web traffic, but not

alone: symmetric encryption is ALSO used
• SSL solves the problem with symmetric encryption’s key exchange
• The public key or ‘certificate’ is issued by a ‘certificate authority’.
The certificate itself is signed by other certificates. The trust makes
up a chain which leads back to a root provider.
• Usually this is a company that is considered to be trustworthy
• Every browser has a list of certificates that it trusts. If your
certificate is signed by one of those, the browser trusts the
certificate.
HTTPS uses SSL/TLS to encrypt traffic between a client and a web server. HTTPS uses a mixture of asymmetric encryption and symmetric encryption.
Each web server has a certificate which is signed by a certificate authority which is trusted. These are usually big-name companies which deal with
certificates. Browsers will automatically trust certificates signed by these certificate authorities. If your certificate is not signed by a trusted certificate
authority somewhere in the chain, it is not considered trusted and most browsers will display a warning.
Technet24
||||||||||||||||||||
||||||||||||||||||||
• Since the certificate is trusted, your browser can use that public key
to encrypt data to send to the web server
• But wait – we said asymmetric key encryption is slow, right? So we
don’t want to use it for ALL traffic
• All we do is generate a symmetric key and encrypt it to send to the
web server
• Therefore, the problem with symmetric key exchange has been
solved, and both parties can use that symmetric key to encrypt
traffic for that session
• And it’s symmetric so it will be fast!
The certificate acts as a public key. The client then generates a symmetric key and encrypts it with the public key of the server, sending the symmetric key
to the web server. The web server will use its private key certificate to decrypt the symmetric key.
From then on, both parties will use symmetric encryption with the shared key. That’s because symmetric encryption is much faster than asymmetric
encryption, so asymmetric encryption is only used for the initial key exchange.
You can see that by using a combination of symmetric and asymmetric encryption, the key exchange problem has been mostly resolved. Asymmetric
encryption is slow, but secure. Using asymmetric encryption, a symmetric key is sent between both parties so both parties will know it. From then on the
symmetric key is used to encrypt data because it is much faster than asymmetric encryption.
||||||||||||||||||||
||||||||||||||||||||
• Of course, the system isn’t perfect. What happens if a root

provider/certificate authority is compromised? It has happened
before!
• There isn’t a better system at the moment
Although the problem of key exchange is mostly resolved, this is far from a perfect solution. What happens if a root certificate authority is compromised?
It’s happened before, where an attacker has been able to compromise one of the companies that provide certificates to most of the Internet and then they
have issued real certificates to malicious actors.
There just isn’t a better system at the moment, luckily scenarios where bad certificates have been issued are few and far between.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Encryption – Hashing (1)
• Hashing is a form of encryption. However, data can only be

encrypted and not decrypted
• There is no key - essentially the data you want to encrypt is the key
• If you hash the word ‘hello’, you will always get the same encrypted
text
• Commonly used for storing passwords. Instead of keeping the
passwords in plaintext in a database they should be stored as a
hash.
Hashing is a form of one way encryption. Data can be encrypted but not decrypted. A good hashing algorithm will produce a unique result for a unique set
of data.
The word ‘hello’ hashed would always have the same hash no matter what. Hashing is most typically used for storing passwords in databases. The idea is
that when someone logs in, the password they enter is hashed and then compared with the hash that was stored in the database. If they match, the password
was correct.
||||||||||||||||||||
||||||||||||||||||||
• Then when a user tries to log in, the password they submit is also
hashed and if the two hashes match then the password is correct.
• Since the password is hashed in the database, just having the hash
isn’t enough to find out the password. You would have to guess the
password, hash your guess and compare to find the password.
• There are programs that can do this hundreds of thousands of
times per second based on dictionary words or by going through
every combination of letters, numbers, etc.
• This is why a strong password is important!
There are programs which can calculate hundreds of thousands of hashes per second. This means that if someone gets hold of a password hash and the
password is weak then it can be quickly cracked. A strong password will mean that the program has to run for years or decades before the password can be
cracked. Programs that crack passwords quickly often benefit from using the processing power of graphics cards which excel at number crunching tasks.
Technet24
||||||||||||||||||||
||||||||||||||||||||
• Of course, just hashing on its own is not recommended. A hash

should be used in conjunction with a salt.
• A salt is just a random string which is added to a password before it
is hashed. The salt is often unique to that particular user and stored
in the database alongside the password hash.
• Using a salt prevents a ‘rainbow’ attack. A ‘rainbow’ attack is where
every combination of letters, numbers, symbols, etc. are hashed
and the results stored in a ‘rainbow table’.
• With the results stored, you can just look up hashes in the table
over and over again
Using a hash on its own to store passwords is not a good idea. Usually you should ‘salt’ a hash first. That means you take the password and add some text
to it before hashing. Even better would be for each account to have its own salt which is stored in the database alongside the hash. This is helpful in
preventing pre-computation attacks (rainbow table attacks).
With pre-computation, people go through the process of words, letter combinations etc., and store the results in a huge file (TBs in size sometimes). Then it
is just a case of looking up the hash in the file, and you will have the resulting plaintext password. By using a salt we can make that more difficult. The
addition of the salt means you have to generate a rainbow table for that exact salt, which takes the same amount of time as just cracking the hash live. By
using a unique salt for each user, and not just for each application, we prevent people from generating a rainbow table that works for the entire application.
||||||||||||||||||||
||||||||||||||||||||
• A salt defeats this by making the same value hashed come out
differently every time
• This way you don’t save any time by using a rainbow table, since
the hashes will be unique to each user in the database and
therefore storing the calculated hashes is pointless
We can use a salt to defeat a pre-computation attack. This is usually a random value which gets added to the data before hashing it. The salt must be a
known value, often it is stored in plaintext next to the hash in a database. Some applications have the same salt across the entire application, but it’s often
best to use different salts within an application also. For example, if you were talking about user accounts, each user account might have their own salt.
This prevents an attacker pre-computing the hashes for your application specifically. For example, if all users had the same salt and the attacker had a copy
of the users table then he could still save time by generating a rainbow table for that specific salt. If every user has a different salt even within the same
database, then generating a rainbow table wouldn’t be worthwhile because you might as well just crack the password if you’re only going to be able to use
that rainbow table to crack one user’s password.
Technet24
||||||||||||||||||||
||||||||||||||||||||
• Examples:
• hash("hello") =
5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03
hash("hello" + "QxLUF1bgIAdeQX") =
68290787dab7259f607c8d9fa58df0ac07ec0a33d151a60127a55f429d09ad52
hash("hello" + "bv5PehSMfV11Cd") =
0a7d4f0c9b8962788d4b6b157e9e6cdf794bf5c9b790915dd24ba5ab962a3fe2
hash("hello" + "YYLmfY6IehjZMQ") =
6034fd9ad717f98425f8135fcfe9de956b7d94d885b371394ee149f8a3ce1e24
• Examples using the SHA-256 hashing algorithm.
Here we can see some examples of using a password with a salt. In this case, ‘hello’ is the password. When we combine it with a randomly generated salt
we see the hashes are wildly different.
||||||||||||||||||||
||||||||||||||||||||
• Hashing algorithms are supposed to produce unique hashes

• For example ‘hello’ should always come out to the same hash, and
nothing else should come out to the same hash as ‘hello’
• This is not always the case: there can be collisions depending on the
algorithm
• MD5 and SHA1 are two popular algorithms that are still commonly
used, but are considered ‘broken’ because there are chances of
collisions
• SHA2 and SHA3 are still considered secure
• Argon2 is a new hashing algorithm that won the Password Hashing
Competition (2015)
When we talk about hashing we also have to talk about collisions. Hashing algorithms are supposed to produce unique hashes. That means one value will
always come out to the same hash, and no other value will create a hash which matches. That’s the theory at least.
In practice, collisions do occur. Two popular hashing algorithms still used frequently today are MD5 and SHA1. Both of these are considered broken, in
that under some specific circumstances collisions are possible. More recently there is SHA2 and SHA3, which are still considered secure today. There’s
also a newer algorithm called Argon2 which won the Password Hashing Competition in 2015.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Hardware Components – In Depth
Hardware Components
In Depth
||||||||||||||||||||
||||||||||||||||||||
CPU – Components
• A CPU is made up of several components

• The Arithmetic Logic Unit (ALU)
• The Control Unit (CU)
• Registers
CPU – Components
The CPU is made up of several components.
The Arithmetic Logic Unit (ALU) is actually two components, the Arithmetic Unit and the Logic Unit. Combined it is responsible for mathematical
functions and logic such as AND, NOT, OR, etc.
The Control Unit (CU) is responsible for the sequence of instructions that the CPU will execute, managing the timing of the CPU (clock cycles),
interpreting instructions and regulating the flow of data to other components along bus lines.
The Registers are small memory storage areas which exist ‘on-die’ (on the CPU itself) and therefore can be accessed very fast, even faster than RAM.
These registers act as temporary storage while the CPU performs instructions. Each register has its own function, such as the EIP register (Extended
Instruction Pointer) which always points to the next instruction to be executed.
Technet24
||||||||||||||||||||
||||||||||||||||||||
CPU – Arithmetic Logic Unit
• The Arithmetic Logic Unit is actually two components

• The Arithmetic Unit is responsible for performing mathematical
functions (such as addition, subtraction, multiplication and
division) and returning the results
• The Logic Unit is responsible for logical operations such as those
used in making comparisons (e.g. NOT, AND, OR, etc.)
• Logic will be covered more thoroughly in the programming book of
this course
CPU – Arithmetic Logic Unit
The Arithmetic Logic Unit is often referred to as one component, but it actually consists of two separate components. The first component is the Arithmetic
Unit, responsible for mathematical functions such as multiplication, subtraction, addition and division. The Logic Unit is responsible for logical operations
which return a Boolean value (true or false value). We’ll be covering these more thoroughly in the programming book.
||||||||||||||||||||
||||||||||||||||||||
CPU – Control Unit
• The Control Unit is responsible for the sequence of instructions to

be executed
• Also responsible for interpreting instructions and managing the
timing of the CPU
• Regulates the flow of data to other components of the computer
such as RAM, Storage, etc.
CPU – Control Unit
The Control Unit is responsible for the sequence of instructions which the processor will execute. It is also responsible for managing the timing of the CPU
and regulating the flow of data to other components (along bus lines) such as RAM.
Technet24
||||||||||||||||||||
||||||||||||||||||||
CPU – Registers (1)
• A CPU has several memory registers ‘on-die’

• On-die memory can only store a very small amount of data,
however it is much faster than RAM
• As the CPU processes instructions data is temporarily stored in
these memory registers. For example, in an 32-bit intel processor
the register EIP points to the next instruction to be executed.
Registers are small memory storage areas which live on the CPU. They are very fast, faster even than RAM because of their proximity to the processor.
The registers are designed to hold small amounts of data temporarily. Think of it almost like a cache: data is saved in the registers while it is relevant to the
instruction the CPU is executing at the time, so it doesn’t need to keep being retrieved from RAM or Storage.
Some registers have specific purposes; others are known as general purpose registers. EIP (Extended Instruction Pointer) is an example of a register with a
very specific purpose. It holds the memory address of the next instruction for the processor to execute.
||||||||||||||||||||
||||||||||||||||||||
• CPU Registers can hold an extremely limited amount of data. On a

32-bit processor each register is limited to 32 bits of data.
• 64-bit processors can hold more data: 64 bits of data
CPU Registers can hold an extremely small amount of data. On a processor with a 32-bit architecture, each register is limited to holding 32 bits of data. On
a processor with a 64-bit architecture, each register can hold 64 bits of data. This is exactly why you can run programs compiled for 32-bit processors on a
64-bit system, but you can’t run programs compiled for a 64-bit system on a 32-bit processor. 32-bits of data fits into 64-bits after all, but it’s impossible
for 64-bits to fit in 32-bits.
Technet24
||||||||||||||||||||
||||||||||||||||||||
CPU – Architectures
• A CPU Architecture is simply how a processor is designed

• The Intel x86 Architecture supports a certain set of instructions,
and is a 32-bit architecture
• The Intel x64 Architecture supports the same set of instructions as
the manufacturer is the same. However, programs compiled for
x64 will not run on x86 architecture. This is because x64 utilises
64-bit registers, while x86 only has 32-bit registers.
• Programs compiled for x86 will run on x64 processors because x86
programs use 32-bit registers and these values fit within a 64-bit
register
CPU – Architectures
A CPU Architecture is how the processor is designed: including what instructions it supports, the size of its registers and various other factors. The Intel
x86 architecture supports Intel instructions and has a 32-bit architecture. That means the memory registers can hold 32-bit values.
The Intel x64 architecture supports the same set of instructions as x86, but programs that are compiled for 64-bit architectures won’t work on 32-bit
systems. Programs compiled for 32-bit systems will however work on both 32-bit and 64-bit systems. The reason for this is simple. When a program is
compiled for 64-bit systems, the instructions utilise the full 64 bits of the CPU registers. This means that the values that get loaded into the memory
registers won't fit in the memory registers of a 32-bit system.
On the other hand, a program compiled for a 32-bit system will have values in the memory registers which utilise 32-bits. 32-bit values do fit in the 64-bit
registers so the program will be compatible with both architectures.
Of course, there are some architectures which are incompatible because they use a completely different instruction set. Take ARM, for example, which
uses different instructions to Intel. A program compiled for Intel will not run on an ARM processor and vice versa.
||||||||||||||||||||
||||||||||||||||||||
CPU – Clock Rate
• The process of a CPU working is called the fetch – decode – execute

cycle
• The process loops endlessly while the computer is running
• The clock rate of a CPU is the number of times per second this cycle
occurs and is therefore often used as an indication of a processor’s
speed
CPU – Clock Rate
The CPU functions in a fetch – decode – execute cycle where the next instruction is first fetched, decoded and executed, and then the cycle starts again
with fetching the next instruction.
This loop is always working while the computer is on. The number of cycles per second is called the clock rate and it’s often expressed as a value in GHz
such as 3.2 GHz. It’s an indication of the processor’s speed, but it isn’t the only aspect to take into consideration.
Technet24
||||||||||||||||||||
||||||||||||||||||||
CPU – Fetch
• First the next instruction is fetched from the memory address

contained in the Program Counter (Instruction Pointer). This
instruction is held in the Instruction Register.
• The Program Counter is then updated to point to the next
instruction
CPU – Fetch
At the fetch stage the next instruction is fetched from the memory address contained in the Program Counter. The program counter is also known as the
Instruction Pointer. On 32-bit systems it is known as EIP (Extended Instruction Pointer) and on 64-bit systems it is RIP. The instruction is then stored in the
Instruction Register and the Program Counter is updated to point to the next instruction.
||||||||||||||||||||
||||||||||||||||||||
CPU – Decode
• The instruction held in the Instruction Register is decoded by the

Instruction Decoder
• Each instruction is programmed into the processor and the valid
set of instructions a processor can understand is known as the
‘instruction set’
CPU – Decode
The instruction that was fetched into the Instruction Register is decoded by the Instruction Decoder. Each valid instruction is programmed into the
processor and the valid set of instructions is known as the instruction set which the CPU architecture understands. The instruction decoder looks at the
instruction set to understand what it has to do next to execute the instruction.
Technet24
||||||||||||||||||||
||||||||||||||||||||
CPU – Execute
• At this stage the decoded instruction is executed. Exactly what

occurs at this stage depends on the instruction that was executed.
• Once execution is finished, the CPU enters the ‘fetch’ stage once
again, ready to read in the next instruction
CPU – Execute
At this stage the decoded instruction is executed. When execution is finished the CPU loops back to the fetch cycle again ready for the next instruction.
||||||||||||||||||||
||||||||||||||||||||
Memory – In Depth (1)
• Memory or RAM actually consists of two parts

• We’re crossing over into the realm of programming here briefly
• The Stack is a fast access area that stores temporary data during
program execution
• The Stack is managed by the processor. The programmer does not
have to worry about it
• The data on the Stack only exists while the function that created
the data is running
• The Stack is limited in size
• It is a LIFO (Last In First Out) Stack
When we talk about memory we mean RAM (Random Access Memory). There are two main parts of RAM: the stack, and the heap. The stack is a fast
access area that stores temporary data during program execution. The stack is managed by the processor: the programmer does not usually have to worry
about it. The stack is a memory structure known as LIFO (Last In First Out). The stack is managed by the processor automatically, the programmer does
not have to worry about it. When you have a function in your code, the data on the stack that is created by that function only exists while the function is
running.
Technet24
||||||||||||||||||||
||||||||||||||||||||
• Imagine you have a bunch of plates. Each plate represents a bit of

data necessary for your computer program.
• You take a plate and you put it on the table. This is your first bit of
data for the program.
• The next bit of data goes on top of the stack, so the second plate
goes on top of the first
• Now you won’t be able to get to the bottom plate without removing
the top plate first. This is a Last In First Out stack, because the last
plate that was added has to be the first one that comes off.
Picture a stack of plates. You can’t just take a plate from the middle of the stack: you first have to lift all the plates on top of the one you are trying to reach.
This is a Last In First Out (LIFO) structure, because the last plate you put on the stack is also the first one you can remove - meanwhile the first plate on the
stack has to have all the ones above it removed before you can access it.
||||||||||||||||||||
||||||||||||||||||||
• The other part of Memory in a computer is called the Heap

• The Heap is relatively slower in comparison to the Stack
• There is no size limit for data
• The CPU does not manage it, so it is up to the programmer
• Memory may be come fragmented over time
• The data stored in the heap is accessible from any part of the
program, not just the function that created it
The other section of memory is called the heap. It is relatively slower to access, but unlike the stack there is no size limit and the CPU doesn’t manage it -
so the programmer has to take that into account. That means the programmer is responsible for specifying when he needs to allocate some space on the
heap, and when he is done with that block of memory the programmer is responsible for freeing it up.
Memory on the heap tends to fragment over time. In addition, unlike the stack data on the heap can be read from any part of the program, and not just the
function that created the data.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Memory – Addressing (1)
• Memory addresses are a logical construct created by the Operating

System Kernel to allow access to RAM
• A memory address is usually written as a hexadecimal number
• The Stack grows down in memory
• The Heap grows up in memory
• The ESP register in the CPU is the stack pointer register. It points
to the top of the stack, which since the stack grows downwards is
the bottom.
• Maybe a diagram would be better…
Memory addresses are a logical construct created by the Operating System kernel to allow access to RAM. These are hexadecimal numbers such as
0xFFFFFFFF. The stack starts from the highest memory addresses and grows down, while the heap starts from the lowest memory addresses and grows up.
Theoretically it is possible for them to meet in the middle - however in practice this should never happen because the stack will keep shifting in size,
growing and then shrinking as needed.
||||||||||||||||||||
||||||||||||||||||||
Here we can see the EBP register points to the base of the stack, while ESP points to the top of the stack. The top of the stack is confusingly on the bottom
because the stack grows in a downward direction. Then there’s the heap which grows upwards.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Storage – In Depth (1)
• Each data storage device has a series of clusters. A cluster is the

smallest logical amount of disk space that can be used t0 hold a file.
• Therefore if the cluster size on your storage device is large, and the
files you are storing are small, there will be wasted space - which is
called slack space
• Each cluster has an address
When we talk about Storage we mean permanent filesystem storage. Each storage device is split up into clusters. A cluster is the smallest logical amount of
space that can be used to hold a file. So if you have a cluster of say 16 kb then a file that is 3 kb will still take up the whole 16 kb. The unused space within
the cluster is known as ‘slack space’.
Similar to RAM each cluster has an address which can be used to access the cluster.
||||||||||||||||||||
||||||||||||||||||||
• The name of the file is stored in an index which lists the starting
addresses where the data can be located
• If a file is deleted, the index entry is deleted and the storage
address is marked as over-writable
• This means that the cluster is free to be re-used. However, the data
is still there unless another file overwrites it.
• This is the reason why you can recover deleted files from a hard
disk
• This is also the reason why secure deletion software should be used
to delete sensitive documents. These tools work by overwriting the
data at least once.
The specifics of how storage is used depends on the filesystem used. Generally speaking there is an index which stores the name of each file and other
metadata, as well as the address of the first cluster where the file can be located.
When we talk about deleting a file, all we are doing is deleting the entry in the index and marking those clusters with a flag that says they can be
overwritten if necessary. That’s because actually removing data from storage is actually overwriting the data with 0s, but that’s wasteful. It’s much more
efficient to just mark the cluster as over-writable, overwriting the data when more data has to be saved there. That of course is the reason why data can
often be recovered after it has been deleted: the data is still on the disk, marked as over-writeable, but it has not been overwritten yet.
The way secure deletion software works is instead of just marking the data as over-writeable it writes 0s over the data also.
Technet24
||||||||||||||||||||
||||||||||||||||||||
• If a file needs to be stored and it is larger than a cluster one of three

things can happen:
• If there are other clusters free that follow on from the cluster, the data will
continue to be stored in those
• If there are no other clusters free that are contiguous, the rest of the data
will be stored in a different address and a pointer to the new address will be
added to the end of the previous cluster
• Some filesystems use an index table or File Allocation Table where each
cluster on a Storage device is mapped. The start cluster will point to an entry
in the file allocation table, which contains the address for the next cluster.
The start of that cluster will have an entry in the file allocation table, which
points to the next cluster - and so on, until the file is read.
If a file needs to be stored, and it is larger than a cluster, one of three things can happen:
If there are other clusters available that are contiguous (follow on from) the first cluster, the data will be written to those clusters.
If there are no other free contiguous clusters, the rest of the data will be stored at a different address, and a pointer that points to that address will be stored
at the end of the previous cluster.
On some filesystems, a File Allocation Table is used to keep track of where each cluster on a storage device is mapped. The start cluster will point to an
entry in the file allocation table which will in turn contain the address for the next cluster. In turn, that cluster will have an entry in the file allocation table
which contains the address of the next cluster and so on, until the file is read.
||||||||||||||||||||
||||||||||||||||||||
• There are many different types of filesystems available.

• FAT32
• NTFS
• ExFat
• Ext3 / Ext4
• HFS+
There are many different types of filesystems available. We will be covering some of them in the next few slides:
• FAT32
• NTFS
• ExFat
• Ext3 / Ext4
• HFS+
Technet24
||||||||||||||||||||
||||||||||||||||||||
Storage – FAT32
• Introduced with Windows 95

• Doesn’t support files larger than 4GB
• Lacks permissions support and other security features built into
modern filesystems
• Primarily used in USB drives and other removable media, however
this is waning with the rise of ExFAT
Storage - FAT32
Definitely an older filesystem. Fat32 was introduced with Windows 95. It doesn’t support files larger than 4GB which can prove an issue these days. It
does not support permissions or any other security features which you often see in more modern filesystems. You can sometimes still see it in removable
media such as USB drives, but not so much anymore with the introduction of ExFAT.
||||||||||||||||||||
||||||||||||||||||||
Storage – NTFS
• The filesystem used by modern versions of Windows

• File size limit is so large that it’s meaningless
• Supports permissions and other features such as encryption and
shadow copies (backups)
• Limited compatibility with non-Windows operating systems,
therefore not frequently used for removable media such as USB
drives
• E.g. Mac OS X can read from an NTFS drive but cannot write to it
Storage – NTFS
This is the filesystem that modern versions of Windows use. It has a file size limit, but it’s such a large limit that you won’t hit it on today’s hardware. It
has a lot of nice features such as permissions, encryption and shadow copy (backups). However, it is not very compatible with non-Windows operating
systems. Mac can read from NTFS volumes, for example, but it can’t write to them.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Storage – ExFAT
• Introduced in 2006, but only recently gaining traction

• A filesystem optimised for USB drives and other removable media
• Very similar to FAT32 but without the limitations such as file size
limits
• No security features such as permissions support
• Compatible with Windows, Mac and Linux
• May not be supported on very old operating systems such as
Windows 95
Storage – ExFAT
ExFAT was introduced in 2006, but it has started to gain more traction. It is supported by nearly every modern Operating System, and is actually very
similar to FAT32: except there are no file size limits to worry about.
ExFAT is still a very minimal file system, with no permissions support or any other features. The benefit to ExFAT however is that it is compatible with
Windows, Mac and Linux - and so is really an ideal filesystem for USB drives and other removable media.
||||||||||||||||||||
||||||||||||||||||||
Storage – Ext3
• Introduced in 2001
• A filesystem for Linux
• Maximum file size of 2TB
• Supports journaling where all changes to the file system are
tracked in a separate part of the hard disk called the ‘journal’. This
means in the event of a crash the chances of the filesystem
becoming unrecoverable are lessened.
• Supports file permissions and other security features
Storage – Ext3
Ext3 is a Linux filesystem. It supports files up to 2TB in size and supports journaling - which is a process whereby all changes to the file system are tracked
in a separate part of the hard disk called the ‘journal’. This means that in the event of a crash the chances of unrecoverable filesystem corruption is
lessened. Similar to NTFS, it also supports filesystem permissions and other security features - although it does not support shadow copy.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Storage – Ext4
• Introduced in 2008
• A filesystem for Linux
• Essentially no file size limitations
• Supports journaling
• Several new features such as fast disk checking which improve
performance and reliability
• Option to disable journaling feature
Storage – Ext4
Another Linux filesystem. Ext4 is newer and essentially has no file size limitations. Like its predecessor Ext3, it supports journaling as well as newer
features such as fast disk checking to improve performance and reliability. It’s also possible to disable journaling as a feature. File system permissions and
other security features that Ext3 has are also supported.
||||||||||||||||||||
||||||||||||||||||||
Storage – HFS+
• Proprietary filesystem from Apple

• Only compatible with the Mac Operating System
• Essentially no file size limitations
• Supports journaling
Storage – HFS+
This is a proprietary filesystem from Apple which is only compatible with Mac OS. Like any good modern filesystem the file size limits are so large that
there are essentially no limits. It supports journaling and file permissions (including extended permissions) and other security features.
Technet24
||||||||||||||||||||
||||||||||||||||||||
GPU – In Depth (1)
• GPUs are essentially processors: however, they are streamlined to

do one thing only and do it well
• They excel at complex mathematical calculations
• They have their own dedicated RAM
The Graphics Processing Unit (GPU) is a dedicated processor that excels at number crunching. They are useful to the security community because we can
use them to perform high speed encryption tasks.
Usually this means you have a password hash and you wish to crack it. By leveraging the power of the GPU it’s possible to generate millions of hashes a
second (depending on the hashing algorithm). This allows us to speed up password cracking significantly.
||||||||||||||||||||
||||||||||||||||||||
• For the purposes of security, GPUs are incredibly useful for

cracking password hashes
• A single CPU can generally hash about 13000 words a second
• A single GPU can hash roughly 6 million words a second
• This speed gets even more exaggerated when we consider multiple
GPUs
• Of course these benchmarks are with the MD5 hashing algorithm.
Numbers may be lower with different hashing algorithms or
hardware.
Let’s take a look at the benchmarks for a password cracking rig that runs 8 NVIDIA GTX 1080 GPU’s using the password cracking tool ‘hashcat’:
Hashtype: MD5
Speed.Dev.#1.: 24943.1 MH/s (97.53ms)
Speed.Dev.#2.: 24788.6 MH/s (96.69ms)
Speed.Dev.#3.: 25022.2 MH/s (97.76ms)
Speed.Dev.#4.: 25106.6 MH/s (97.42ms)
Speed.Dev.#5.: 25114.1 MH/s (97.42ms)
Speed.Dev.#6.: 24924.1 MH/s (97.30ms)
Speed.Dev.#7.: 25197.9 MH/s (97.30ms)
Speed.Dev.#8.: 25246.4 MH/s (97.00ms)
Speed.Dev.#*.: 200.3 GH/s
The last figure of 200.3 GH/s is the total password cracking capacity across all cards. To be clear, that’s 200 billion password hashes that can be calculated
per second. Granted MD5 is a somewhat lightweight hashing algorithm, but it is still an impressive figure.
Technet24
||||||||||||||||||||
||||||||||||||||||||
Up Next…
201.2 - Linux Fundamentals
||||||||||||||||||||

SEC201.1 Computing Fundamentals

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SEC201.1 Computing Fundamentals

Uploaded by

Copyright:

Available Formats

||||||||||||||||||||

SEC201.1 Intro to Computer Fundamentals

©2017 James Lyne

This page intentionally left blank.

Day One Intro

• Today we will take an in-depth look at how computers function

SEC201 | Intro to Computer Fundamentals 2

Day One Intro

TABLE OF CONTENTS (1) PAGE

Central Processing Unit (CPU) 15

Random Access Memory (RAM) 16

Graphics Card (GPU) 18

What Is an Operating System? 20

SEC201 | Intro to Computer Fundamentals 3

This page intentionally left blank.

TABLE OF CONTENTS (2) PAGE

EXERCISE: Alternative Numbering Systems 40

Operating Systems: Windows 43

Operating Systems: Linux 44

Operating Systems: Mac OS X 45

Virtual Machine Types 47

SEC201 | Intro to Computer Fundamentals 4

This page intentionally left blank.

TABLE OF CONTENTS (3) PAGE

DEMO: Using VMware Workstation Player 51

Network Hardware: Router 76

Network Hardware: Switch 77

Network Hardware: Hub 78

Network Hardware: Network Cards 79

OSI Model: Application Layer 82

OSI Model: Presentation 83

SEC201 | Intro to Computer Fundamentals 5

This page intentionally left blank.

TABLE OF CONTENTS (4) PAGE

OSI Model: Session Layer 84

OSI Model: Transport Layer 85

OSI Model: Network Layer 86

OSI Model: Data Link Layer 87

OSI Model: Physical Layer 88

IP Addresses: Private Addressing 92

IP Addresses: Public Addressing 93

SEC201 | Intro to Computer Fundamentals 6

This page intentionally left blank.

TABLE OF CONTENTS (5) PAGE

DNS: Reverse Lookup 103

Packets Continued… 109

TCP/IP Model 110

Application Layer Protocols 112

SEC201 | Intro to Computer Fundamentals 7

This page intentionally left blank.

TABLE OF CONTENTS (6) PAGE

Transport Layer Protocols 113

TCP Protocol 114

TCP Header 115

TCP Handshake 116

TCP Teardown 117

TCP Reset 118

UDP Protocol 119

UDP Header 120

Ports Continued… 121

Internet Layer 122

Internet Protocol 123

IPv4 Header 124

SEC201 | Intro to Computer Fundamentals 8