CHAPTER TWO
Binary to Decimal
IN CHAPTER 1 WE INTRODUCED the basic concepts of numbering systems and how data is moved and manipulated. The life cycle of data, from its humble beginnings as electronic bits and bytes, evolving into characters, then words, finally emerging as a language, then as information and eventually into potential evidence. Understanding how evidence emerges from data, is pivotal in successful forensic investigations.
We continue now in the next step of our cyber forensic learning process, moving from our humble binary beginnings of our two-state world, growing now beyond binary to decimal and back again, gaining a deeper understanding of the math behind the forensics and how a knowledge of the math is essential in understanding even the most basic cyber forensic investigation.
So, as we probe deeper into an understanding of what happens behind the flash and sizzle of forensics, let’s begin where we left off.
AMERICAN STANDARD CODE FOR INFORMATION INTERCHANGE
The history of ASCII and its development were discussed at length previously, and we now know that the characters identified by 2 ^ 7 or 128-bit unique characters are known as American Standard Code for Information Interchange/extended ASCII or just ASCII.
ASCII characters are assigned a decimal value because binary cannot be directly converted to ASCII, and silicon-based computing devices can only compute in binary math. However, binary can be converted into a decimal value, and this decimal value is assigned an ASCII character, thereby completing the cycle.
The first 32 characters in the ASCII-table are unprintable control codes and are used to control peripherals such as printers. Codes 32-127 are common for all the different variations of the ASCII table; they are called printable characters, representing letters, digits, punctuation marks, and a few miscellaneous symbols. You will find almost every character on your keyboard. Character 127 represents the command DEL.
In Table 2.1 we see a sample of binary values, their decimal equivalent, and the ASCII character assigned to that binary value.
TABLE 2.1 Binary Values, Their Decimal Equivalent, and ASCII Code
A computer bases its functions on mathematics, thus in reality, the computer’s microprocessor (its brain) is essentially a glorified calculator. It is the computer’s microprocessor which performs the mathematical calculation from binary to decimal (doing so at a rate of millions of calculations a second), and it does this “behind the scenes,” meaning we do not actually see this function occurring when we are using a computer. Computer instruction speeds fall into various ranges, as shown in Table 2.2.
TABLE 2.2 Microprocessor Speeds
| Millisecond | one thousandth (10^–3) of a second |
| Microsecond | one millionth (10^–6) of a second |
| Nanosecond | one billionth (10^–9) of a second |
| Picosecond | one trillionth (10^–12) of a second |
| Femtosecond | one quadrillionth (10^–15) of a second |
Binary values and numbers (decimals) are capable of having mathematics operations performed on them. Since they have this in common, one can be derived from another. Binary cannot be mathematically computed into a letter “A” or an Arabic character, for example. ASCII or unicode characters are symbols conceived by man; they are little more than pictograms as far as the microprocessor is concerned.
A binary value can be mathematically computed into a decimal value. And a decimal value can be assigned to an ASCII value as seen in Table 2.1. The decimal value is referenced by the corresponding value in the character chart (ASCII or UniCode) by the Operating System (OS) and/or software being used. Ultimately it is software that translates the information into something useful: pictures, words, video, and so on.
Referencing a chart to convert a decimal value to an ASCII character code is a simple concept to grasp; however, we will need to go into further detail to explain the complexities involved with converting binary to decimal.
WHY IS THIS IMPORTANT IN FORENSICS?
Data are not always complete. Most of the time, in fact, data are incomplete or don’t exist at all. Evidence is found in bits of data which do not reside in their native format or visible in an ASCII character code.
Data are not easily discernable when they cannot be reassembled into their “native format” by software designed to read the data. This happens when the headers or other pieces of the original document get overwritten or otherwise erased. Imagine removing the “.doc” from a word document, and then trying to open that document. What happens? A lot of error messages for one. A computer has great difficulty opening up (processing or acting upon) something (a file, folder, instruction, etc.) that it does not recognize.
Forensically, in order to extract only the necessary, critical bits and pieces of data (representing perhaps a document) relative to an investigation, we need to be able to view the data contained within the document, regardless of the software used to generate the document or the document’s “native file type.”
As identified in Chapter 1, the smallest unit of data is a bit. Eight bits form one byte. Eight bits is the binary representation of a byte that has been assigned a corresponding character code or symbol, whether that character or symbol is in English, Urdu, Chinese, or Sanskrit. So, the eight bits representing a byte must be mathematically “translated” into a representative decimal equivalent to be understood by us humans.
The decimal values of eight bits are shown in Table 2.3.
TABLE 2.3 Decimal Values of Eight Bits
This table shows Base 2 to the nth power. The mathematical outcome (or the decimal value) of each power is presented in the second row. This decimal value represents the total possible outcomes (or states) of Base 2 to the nth power. It is a mathematical constant, 27 will always equal 128.
Since a computer cannot recognize or process the character “&” in its native form, and only processes binary stored bits, and since we humans do not process binary information, how do we convert a binary value into a decimal value?
Let’s take, for example, converting the binary value 01011000 into its decimal equivalent. Using the information in Table 2.3, we add another row to the table for our binary value, 01011000, which gives us Table 2.4.
TABLE 2.4 Binary to Decimal Conversion
The key to converting the binary value to its decimal equivalent is the existence (or lack thereof) of a “current” represented by the binary value of a “0” or a “1” switch or binary character.
If a binary value is present in the placeholder, the value is turned on, represented by the value of one (1). If no binary value occupies the place holder, then the value is turned off, which is represented by the value zero (0).
If the binary switch (or value) is ON (a “1”) then the decimal value is ON, meaning it is added or counted when determining the total decimal value. If the binary switch is OFF (a “0”), then the decimal value is not counted or added when determining the total decimal equivalent.
To complete our conversion process, we add a final row to our table to represent the decimal value of our converted binary value. (See Figure 2.1.)
FIGURE 2.1 Binary to Decimal Conversion
The only binary values turned “on” and represented by the value one, are the fourth, fifth, and seventh bits, with decimal equivalents of 8, 16, and 64 respectively. Simply adding up these decimal values (8 + 16 + 64) gives us the decimal value 88, and the decimal equivalent of the binary value 01011000.
Count the number of digits in the binary number. For each digit, list the powers of 2 from right to left in order, starting with 1 until you have one power of 2 for each digit. In our example, for an eight-digit binary number 01011000, you would list 128, 64, 32, 16, 8, 4, 2, and 1.
Connect the binary digits with their corresponding powers of 2 with a straight line.
Go through the binary numbers and if the binary number is 1, bring down the power of 2 and write it in the corresponding box on the decimal value line. If the binary number is 0, put a 0 in the box.
Convert the binary number to decimal by adding up the decimal value you entered into each box.
The sum of the numbers is the decimal equivalent of the binary number.
Binary 01011000 equals a decimal value of 88.
A FORENSIC CASE EXAMPLE: AN APPLICATION OF THE MATH
Mrs. Ronelle Sawyer, a cyber forensic investigator is looking for evidence of communications between Mr. Jose McCarthy, a research scientist at ABC Inc., and Ms. Janice Witcome, managing director of the XYZ Company, a competitor, in a case involving the potential theft of intellectual property (IP).
The question then is, “How can Ronelle identify any occurrences of the company name ‘XYZ’ when examining the contents of Jose’s hard drive?” An initial answer, the “human view” of the data sought by Ronelle, is already known. Ronelle would begin looking for any occurrences or references to either “Witcome,” “Janice,” or “XYZ” that may exist on Jose’s hard drive.
From any ASCII table, such as the one partially reproduced in Table 2.5, Ronelle would identify the ASCII characters “X”, “Y”, and “Z” and in doing so would be able to derive the decimal equivalent of these characters: 88, 89, and 90, respectively.
TABLE 2.5 Decimal and ASCII Values
| Decimal | ASCII Symbol | Description |
| 83 | S | Uppercase S |
| 84 | T | Uppercase T |
| 85 | U | Uppercase U |
| 86 | V | Uppercase V |
| 87 | W | Uppercase W |
| 88 | X | Uppercase X |
| 89 | Y | Uppercase Y |
| 90 | Z | Uppercase Z |
Ronelle now can determine the binary equivalent of the decimal values 88, 89, and 90, based upon our earlier discussion by turning “on” those bits that will give Ronelle the values 88, 89, and 90, respectively. (See Tables 2.6, 2.7, and 2.8.)
TABLE 2.6 88 Decimal to Binary
TABLE 2.7 89 Decimal to Binary
TABLE 2.8 90 Decimal to Binary
Table 2.9 summarizes the conversion of the decimal values 88, 89, and 90 into their binary equivalent.
TABLE 2.9 Binary Value of Characters X, Y, and Z
The recognizable ASCII characters “X,” “Y,” and “Z” are stored and “viewed” as binary values by the computer. To the computer, the combined characters “X,” “Y,” and “Z,” would simply “look” like this: 010110000101100101011010.
It is pretty easy for a computer to recognize and to make sense of what all those 1s and 0s mean. It is impossible, however, for humans to decipher, especially when looking through thousands of 1s and 0s all strung together!
How will Ronelle determine if Jose is indeed corresponding with Janice? How will Ronelle possibly be able to examine the millions of 1s and 0s filling Jose’s hard drive, to identify any occurrences of 010110000101100101011010?
Specific tools used by the cyber forensic investigator can convert the binary code 010110000101100101011010 into a format more easily understood by humans.
This format is called Hexadecimal (HEX), which is strictly a human friendly representation of binary values, and the subject of Chapter 3.
DECIMAL TO BINARY: RECAP FOR REVIEW
A decimal value is a mathematical computation of binary, not a visual representation of binary.
There are 10 unique decimal characters– 0, 1, 2, 3, 4, 5, 6, 7, 8, and 9. Ten unique characters by themselves cannot represent the entirety of the ASCII character set or of Unicode.
Converting binary to decimal, as previously described, is easy when the binary value to be converted is small, but as the binary value increases in size, the numbers can get rather large and tedious.
For example, assume a binary value of 010110000101100101011010. This value may appear daunting, but it is only equivalent to three bytes or 24 bits.
If we were to convert this binary string to its decimal value equivalent by turning “on” position values represented by 1s and leaving “off” those position values represented by 0s, our string of numbers would look like this:
When finally totaled, this string of binary values would yield a result of 5,787,994.
The process of deciphering binary values into their decimal equivalent can get very tedious, time consuming, and very expensive, especially if the string of binary values is more than three bytes. Imagine converting an entire sentence, or how about an image?
How can we humans better represent binary without the tedium of decimal computation?
Solution: hexadecimal notation and numeric representation.
Mathematics is perhaps the only universal language, and its principles are based upon inherent truths. Regardless of language or written character representation, 1 + 1 will always equal 2. Mankind may have created the numerals or symbols by which mathematical concepts are expressed; however, mankind did not create math.
Mankind developed character encoding methods based upon symbolic representations including: alphabets, symbols, scripts, punctuation marks, numerals, pictographs, cave drawings, and so on. Written languages continue to evolve and progress; however, as refined as these have become, none have ever been capable of “direct” digital transmittance.
Mathematics’ true universal nature is revealed by how well it is suited for the digital representation of written language. In order to communicate electronically, or digitally, a method must exist by which a human character based script can be converted to a mathematical one.
Binary is the mathematical encoding method by which data is sent electronically. Humans prefer a symbol or character encoding paradigm. It is therefore necessary to connect the dots and convert binary to human character sets.