Week 4 - Data Encoding and Basic File Forensics

Question 1

How are files physically stored on storage media?

Answer 1

Strings of 1s and 0s (binary data) in data blocks.
Interpretation depends on standards, manufacturer specifications, and hardware structure

Question 2

What command shows a file in binary (bits) and hexadecimal?

Answer 2

xxd -b myfile → binary (bits)
xxd myfile → hexadecimal dump

Question 3

What is Encoding?

Answer 3

Rules for how data is stored and retrieved.

Binary encoding → for machines
Character encoding → for human understanding

Question 4

What is ASCII?

Answer 4

American Standard Code for Information Interchange.
1 byte = 1 character (0-127 standard, 128-255 extended).

Question 5

Compare UTF-8, UTF-16, and UTF-32

Answer 5

UTF-8: Variable bytes, backward compatible with ASCII
UTF-16: 16 bits per character (Little/Big Endian)
UTF-32: 32 bits per character, supports all languages

Question 6

What is Base64 encoding used for?

Answer 6

Converts binary data into a sequence of 64 printable ASCII characters. Commonly used in URLs, email attachments, and payloads

Question 7

Main categories of files in forensics?

Answer 7

Data Files – Binary or Character encoded
Program Files – Executables and libraries

Question 8

Difference between Character-encoded and Binary-encoded files?

Answer 8

Character-encoded: Human-readable in text editor (XML, JSON, CSV, YAML, etc.)
Binary-encoded: Machine-readable, illegible as text, often show “magic numbers”

Question 9

Describe the JSON format structure

Answer 9

Uses { } for objects, : to separate key:value, , to separate pairs, [ ] for lists. Supports nesting

Question 10

Describe the CSV format

Answer 10

Values separated by commas or colon. One record per line. Optional header row with field names

Question 11

Describe the XML format

Answer 11

Data enclosed in tags <tag>content</tag>. Supports nesting. Processing instructions start with <?

Question 12

Describe YAML and INI formats

Answer 12

YAML: Key: Value pairs, uses indentation for nesting, - for lists
INI: Key=Value pairs, sections in [Section], no standard list support

Question 13

How can you identify a file type without relying on the extension?

Answer 13

Using the Magic Number (file signature) – specific bytes at the start of the file

Question 14

Give examples of common magic numbers.

Answer 14

GIF → GIF89a
WAV → RIFF
ZIP (including .docx) → PK

Question 15

Why can .docx files be opened with a ZIP tool?

Answer 15

Because .docx is a ZIP archive containing XML files (word/document.xml, etc.)

Question 16

Signed vs Unsigned Integers – explain the difference

Answer 16

Unsigned: Positive numbers only (0 to max)
Signed: Uses Two’s Complement to represent negative numbers

Question 17

What is Little Endian vs Big Endian?

Answer 17

Byte order for multi-byte data types:

Little Endian: Least significant byte first
Big Endian: Most significant byte first

Question 18

What standard is used for floating-point numbers?

Answer 18

IEEE 754

Question 19

List the 4 main methods to identify a file type (in order of forensic preference)

Answer 19

Try to open it (on isolated/offline machine – risky)
Check file extension (easily changed/hidden)
Check Magic Number / File Signature (file command)
Examine contents (text editor, hexdump, strings, etc.)

Question 20

What are the main problems forensic analysts face when examining files?

Answer 20

Older or private formats
Overwritten/changed signatures
Fragmented or partially overwritten files
Encrypted files
Steganography (hidden data)
Context-dependent interpretation (endianness, encoding, structures)
Proving the interpretation matches the creator’s original intent