Quick Recap - Last Week

Purpose: capture and preserve digital evidence without altering it.

• Acquisition types:
  • Live - collect volatile data (RAM, active processes, network).
  • Dead - image powered-off media (disks, USBs, phones).
• Imaging formats: RAW | E01 | AFF - each with trade-offs in size, speed, and metadata.
• Golden rules:
  • Never work on the original evidence.
  • Always use write blockers.
  • Hash before and after to confirm integrity.
• Outcome: a forensically sound duplicate ready for examination.

How does a computer store data?

What Is Digital Data?

Digital data is information represented using discrete values - typically 0s and 1s (binary).

• Every file, photo, message, and signal inside a computer is stored as a sequence of bits.
• Data can represent:
  • Text, Images, Sound, Video
• Computers use numbering systems (binary, octal, decimal, hexadecimal) to represent and interpret this data.

In forensics, understanding how data is represented helps investigators identify, recover, and interpret evidence accurately.

Computer Data Bit by Bit: Representing 1s and 0s

These physical states correspond to binary digits - 0 and 1 - forming the foundation of all digital information.

Numbers

We're going through it briefly.

Decimal Number System - Base 10 (Example 2748)

• Uses digits 0-9 and is based on powers of 10
• Each position (column) has a place value that increases by a factor of 10
• Most familiar system used in everyday counting and arithmetic

(2748)₁₀ = 2×10³ + 7×10² + 4×10¹ + 8×10⁰ = 2,748

Octal Number System - Base 8

• Uses digits 0-7 and is based on powers of 8
• Each position represents a power of 8 increasing from right to left
• Commonly used as a compact binary representation (groups of 3 bits)

(5274)₈ = 5×8³ + 2×8² + 7×8¹ + 4×8⁰ = 2,748₁₀

Hexadecimal Number System - Base 16

• Uses digits 0-9 and letters A-F
• A = 10, B = 11, C = 12, D = 13, E = 14, F = 15
• Based on powers of 16
• Commonly used in computing and digital forensics to represent binary values more compactly (4 bits = 1 hex digit)

(ABC)₁₆ = A×16² + B×16¹ + C×16⁰ = 10×256 + 11×16 + 12 = 2,748₁₀

Binary Number System - Base 2

• Uses digits 0 and 1, and is based on powers of 2
• Each bit (binary digit) represents a power of two, increasing from right to left
• Foundation of all digital data, since every value in computing is expressed in binary form

(101010111100)₂ = 2048 + 512 + 128 + 32 + 16 + 8 + 4 = 2,748₁₀

Each system expresses the same values in different bases:
Binary (Base 2) · Octal (Base 8) · Decimal (Base 10) · Hexadecimal (Base 16)

Storage Sizes

Data grows exponentially - every step up represents 1,024 times more information than the previous level.

Text

Question: How does the computer save text data?

1. Standard ASCII

• It’s a system that displays characters in standard formats.
• Use numbers to represent text/characters
• 8-bit code 7 bits for data and 1 bit for parity - 128 chars - Low ASCII
• Low ASCII- Characters, punctuation, special codes
  

ASCII (American Standard Code for Information Interchange)

2.Extended ASCII Table

The Extended ASCII set expands the standard 7-bit ASCII (0-127) to 8 bits (0-255).

• Supports additional symbols, graphics, and accented characters.
• Printable characters range from 32-126 and 128-255.
• Used by systems like IBM PC, Windows-1252, and ISO 8859-1 for extended language support.

ASCII Character Codes

Example: The letters c, a, t

Each letter has a unique ASCII value, which can be expressed in decimal, hexadecimal, or binary.

Can 256-character codes accommodate all the characters in other languages, e.g., Chinese, Japanese, Hindi, etc.?

3. Unicode

Extended the number of characters. Worldwide standard for processing, displaying, and interchanging all types of language texts.

• Uses 2 bytes per character
  • 16 bits
  • 65,536 code points per plane
  • 17 planes in total
  • 1,114,112 possible characters
• Letter A
  • ASCII: 41h, Unicode: 4100h

When searching for text data, always search in both Unicode and ASCII formats.

Others: Base64 and ROT13

• Base64: Encodes binary data into text for safe storage or transfer.

  • Alphabet: [A–Z][a–z][0–9][+/=]
  • the cat sat on the mat → dGhlIGNhdCBzYXQgb24gdGhlIG1hdA==
  • Used to represent binary data in text form, e.g. emails, HTTP, APIs, embedded images.

• ROT13: Simple substitution cipher that rotates letters by 13 places.

  • Alphabet: A–Z a–z
  • hello → uryyb
  • Used for simple obfuscation, puzzles, and teaching, not real security.

Endianness

It refers to the order in which a sequence of bytes is stored in a computer’s memory.

• Big-endian: most significant value in the sequence is stored at the lowest storage address (i.e., first)
• Little-endian : the least significant value in the sequence is stored first

Endianness

• Many mainframe computers, particularly IBM mainframes, use a big-endian architecture.

• Most modern computers, including PCs, use the little-endian system.

GRAPHICS AND VIDEO

Graphics and Video

• Common image formats include:
  • Bitmap (.bmp)
  • GIF (.gif)
  • JPEG (.jpg)
  • PNG (.png)

Graphics

• Digital cameras and scanners record the colour of each picture element - called a pixel.
• Pixel stands for picture element.
• Each small square in an image is a pixel, stored as one or more bytes.
• A 4-megapixel camera captures about 4 million pixels to form one image.

The more pixels an image has, the higher its resolution.

Video & Animation

• Video and animation are sequences of single graphic images (frames) displayed over time.
• A synchronised audio track may also be stored, aligning sound samples with each frame.
• MPEG is the most common video format:
  • Combines JPEG images (frames) with MP3 audio synced in sequence.

Motion = rapid display of still frames + synchronised sound.

FILE EXTENSIONS AND FILE HEADERS

File Types and Headers

• A typical hard drive contains thousands of files.
• These files come in many different types and formats.
• File types are usually identified by their three-letter extensions (e.g., .jpg, .doc, .pdf).
• Each file also includes a header - a small block of data that helps the system recognise its type and structure.

Extensions help users identify files, while headers help software and forensic tools verify them.

File Types and Extension Examples

File extensions give users a quick way to identify format and function.

File Headers

• The first bytes of a file form its signature or magic number.
• These identify the file type and allow it to open correctly.
• If the header is changed or missing, the file becomes unreadable.
• Headers also store key metadata like size and format.

Crucial for authenticating files in digital forensics.

What is Metadata?

Metadata - Digital data often includes metadata, which provides information about the characteristics, origin and structure of the data

File Headers / Signatures

The file header (magic number) reveals the true file type - even if the extension is changed.

Example: What file type is associated with this header?

Another Example

Deleting or Modifying File Extensions

• Adversaries can rename or remove extensions to hide files or evade detection.
• Extension = user hint, not definitive proof of file type.
• Use a hex editor or forensic tool to inspect the file header (magic number) to determine true content.
• Always verify file identity before trusting extension-based evidence.

Activity

Identify the actual file type.
Decide whether the file extension matches the file signature.

What is a Hex Editor?

A hex editor (or binary/byte editor) is a program that allows manipulation of the fundamental binary data that makes up a computer file.

• The name “hex” comes from hexadecimal, the standard numerical format for representing binary data.

Finding a List of File Signatures and Related Resources

• Gary Kessler’s File Signature Database
• Filext.com
• Wikipedia - List of File Signatures

Useful resources for researching file headers, extensions, and magic numbers in forensic analysis.

Now we understand Data, how to search for it?

Searching for Evidence (Keyword Searching)

• A common technique in digital forensic investigations to quickly examine large volumes of data.
• Typically carried out at the early stage of an investigation.
• Focuses on identifying patterns, not exact values, such as:
  • email addresses, phone numbers, account IDs, tracking numbers.
• Case-level keywords: Terms specific to the investigation.
• Global keywords: Terms reused across multiple cases.

Use case-relevant keywords only (e.g. names, usernames, suspect terms).
Avoid wasting resources on unnecessary keywords.
Searches may be case-sensitive, depending on the tool.

Example

GREP (Globally search a Regular Expression and Print)

• A powerful Linux search tool used in forensic investigations.
• Searches input files, or standard input if no file is specified, for matching lines of data.
• Supports regular expressions to identify patterns rather than exact text.

Key Features

• Uses standard GREP symbols and special characters.
• Allows custom and flexible searches.
• Useful for quickly locating evidence across large datasets.

Common GREP / Regular Expression Characters

Example-1

Example-2

Example-3

Remember – the operator only act on the preceding character

GREP in Autopsy

Activity: Regular Expression Practice

1. [^a-z]?Liz[^a-z]?

   • Will this search find Elizabeth, Lizzy or neither ?

2. What does this expression find? \d{4}[- ]{3}:\d{3}

3. Write an expression for find email address for Roehampton

   • e.g., First.Sure@ Roehampton.ac.uk
   • e.g., First.sure@ Roehampton.ac.uk

Lab

• Review your lab and activities from here