CSC414 Computer System Fundamentals THINK BIG WE DO U R I http://www.forensics.cs.uri.edu Digital Forensics Center Department of Computer Science and Statics File Signatures File Signatures Hexadecimal Data Hexadecimal Data - Hex is a way to view binary data - Group bits into four digits - Two groups per byte - Two hex characters per byte - 16 possible combinations - Use 0-9, A-F Easier to recognize patterns and read data 01010100011010000110100101110011 0000 0 0 0001 1 1 0010 2 2 0011 3 3 0100 4 4 0101 5 5 0110 6 6 0111 7 7 1000 8 8 1001 9 9 1010 A 10 1011 B 11 1100 C 12 1101 D 13 1110 E 14 1111 F 15 Binary Hex Binary Hex Decimal Decimal 5 4 6 8 6 9 7 3 54 68 69 73 T h i s Hexadecimal Data 54 68 69 73 T h i s Hex Editors Allow you to examine and change the bits of a file, or the bits of a disk regardless of file boundaries. - Allow view, searching, and modifying at the bit/byte level of files and disks - Similar to a microscope allowing you to see the raw bits without interpretation by the operating system or an application - ACSII codes are provided, but do not necessarily indicate byte values - WinHex Specialist, FTK, EnCase, X-Ways provide hex “view” of data and disks. ASCII codes are stored "as is" - Each character you see or type - Return key, tabs and special characters are stored also. Text Files Binary Hex Symbol 0101 0100 54 T 0010 0000 20 Space 0000 1101 0D Carriage Return 0000 1010 0A Line Feed 0000 1001 09 Tab Used by TRS-80, Mac OS 9 and Used by Mac OS X and Linux .doc Files Microsoft Word Files (before 2007) File Signature for Microsoft Office 2003 and earlier Metadata Offset into file of 0A00 Text starts 2,560 bytes into the file