Basics of Forensics

The Memory and the processor Address and data buses The stored program concept Format of instructions The processor mechanism Software Programming Breaking sequence A Black Box model of the PC

Information is data arranged in a meaningful way for some perceived purpose

Two black boxes showing a processor and a memory connected together by two arrowed lines. They are separated because they are most likely to be implemented as using two different electronic chips processor chip and memory chip

Objects = data Rules = program

Memory

Processor

Processor and Memory

and are connected together by flexible cables (tracks on a PCB) which are made up of several wires in parallel. Such multiple connections are called buses

Objects = data Rules = program

Memory

Processor

Processor and Memory

The heart of a computer is the central processing unit or CPU. This device contains all the circuitry that the computer needs to manipulate data and execute instructions. The CPU is amazingly small given the immense amount of circuitry it contains. The circuits of a computer are made of gates.

Gates, however are also made of another tiny component called a transistor, and a modern CPU has millions and millions of transistors in its circuitry. The CPU is composed of five basic components: RAM, registers, buses, the ALU, and the Control Unit.

RAM: this component is created from

combining latches with a decoder. The latches create circuitry that can remember while the decoder creates a way for individual memory locations to be selected.

Registers: these components are special

memory locations that can be accessed very fast. Three registers are : the Instruction Register (IR), the Program Counter (PC), and the Accumulator.

Buses: these components are the information

highway for the CPU. Buses are bundles of tiny wires that carry data between components. The three most important buses are the address, the data, and the control buses. address bus has a single on it indicating a one-way of data & data bus has two arrows indicating two way transfer of data

ALU: this component is the number cruncher of the CPU. The Arithmetic / Logic Unit

performs all the mathematical calculations of the CPU. It is composed of complex circuitry. The ALU, however, can add, subtract, multiply, divide, and perform a host of other calculations on binary numbers

Control Unit: this component is responsible

for directing the flow of instructions and data within the CPU. The Control Unit is actually built of many other selection circuits such as decoders and multiplexors. In the diagram above, the Decoder and the Multiplexor compose the Control Unit.

In order for a CPU to accomplish meaningful work, it must have two inputs:
Instructions or rules and Objects or data.

Rules are ordered sequences of instructions that are to be interpreted by the processor and which will cause it to carry out a series of specific actions (Instructions tell the CPU what actions need to be performed on the data).

Such sequence of rules are called programs

Instructions/rules are represented with binary codes like data.

CPU makes no distinction about the whether it is storing instructions or data in RAM.
This concept is called the stored-program concept Black box- 1st memory contains not only the binary patterns the data, but also the binary patterns that represent the rules(programs)

Let us consider the form one such instruction or rule might take 2 consecutive bytes in memory

0 0 0 0 0 1 0 1

1 1 0 0 01 0 1

The doing code Do this thing The imperative verb

Subtract

The using code Using this thing The passive noun the thing in byte 197

The first byte the doing code[do this thing] The second byte the object on which the doing code action is to be done 00000101 subtract 11000101 decimal 197 In many cases the value of the second byte will be starting place in memory where the object to be manipulated resides that is it will be the memory byte address. The two byte pattern may therefore be interpreted as an instruction or rule that states : subtract the thing in byte 197

In reality many such doing codes are available collectively called as order code for the processor. Typical examples include
add a byte, subtract a byte, multiply a byte, divide a byte, input a byte, output a byte, move a byte, compare a byte

Action

Doing code

Load a byte

00000001

Store a byte

00000010

Add a byte

00000100

Subtract a byte

00000101

The idea of modern computer was first expounded by John Von Neumann (1945) The idea that instructions are held sequentially in the memory and that the processor executes each one in turn from lowest to highest address in memory, unless otherwise instructed. For this the processor maintains a record using the internal counter register or sequence control register or the program counter This is a small area in the memory that stores the information about the next instruction the processor is about to execute

Processor will undergo a series of steps to execute. For eg: fetch, interpret, update, execute The process is called fetch-decode-execute cycle. Almost similar to a four stroke internal combustion engine : fetch, interpret, update and execute Fetch step : - instruction is transferred from memory to Instruction Register along the data bus Unique bit patterns that make up the machine language are extracted and sent to decoder/interpreter

Decoder/interpreter- recognizes which operation the bit pattern represents and activates the correct circuitry to perform the operation involves reading from memory, storing data in memory, activating the ALU to perform a mathematical operation Upon completion of its preparation to perform instruction the processor will then enter the update step. In this step the processor begins its program counter so that it is ready for next instruction in sequence.

Execute the action defined in the interpret step is applied to the object defined in the interpret step To do this additional register as a scratchpad for interim results and this is sometimes known as an accumulator or general purpose register After this the processor repeats the cycle with the fetch step once again.

Byte 3 01010011 Byte 5 10011011 Byte 31 00000001 Byte 33 00000101

Byte 4 00001111 Byte 32 00000011 Byte 34 00000100 Fetch

interpret

update

execute Counter gp

31
doing using

Byte 35
00000010

Byte 36
00000101

Memory

Processor

Looking Inside

Byte 3 01010011 Byte 5 10011011 Byte 31 00000001 Byte 33 00000101

Byte 4 00001111 Byte 32 00000011 Byte 34 00000100 Fetch

interpret

update

execute Counter gp

31
doing using

Byte 35
00000010

Byte 36
00000101

Memory

Processor

Looking Inside

Byte 3 01010011 Byte 5 10011011 Byte 31 00000001 Byte 33 00000101

Byte 4 00001111 Byte 32 00000011 Byte 34 00000100 Fetch

interpret

update

execute Counter gp

31
doing using

Byte 35
00000010

Byte 36
00000101

Memory

Processor

Looking Inside

Byte 3 01010011 Byte 5 10011011 Byte 31 00000001 Byte 33 00000101

Byte 4 00001111 Byte 32 00000011 Byte 34 00000100 Fetch

interpret

update

execute Counter gp

31
doing using

Byte 35
00000010

Byte 36
00000101

Memory

Processor

Looking Inside

Four steps fetch, interpret, update, execute

Modern processors Pentium 4 appox. speed of operations can be 10,000MIPs2

The processor is connected to the main memory using the two buses the address bus and the data bus; the third bus the control bus concerned with control activities such as the direction of data flow on the data bus and the general timings of events throughout the system.

The counter register in the processor holds the address-where in the main memory, the next instruction that the processor is to execute the can be found. In this eg : 31 The doing and using registers are set of instruction registers used by the processor to interpret the current instruction The group register is the general purpose scratchpad register

The in-built control mechanism of the cycle clockwise through the four steps- fetch, interpret, update, execute The rate at which the processor cycle is executed is controlled by system clock an this may be running at many millions of cycles per second

1. Fetch
value of counter register decimal 31 is placed on address bus by the processor & sent across to memory in binary by means of eight parallel connections The memory is now requested to transfer copy of what is there in 31 and 32(i.e., pattern of instruction) to the processor Copies of 2 bytes are passed across the data bus one after the other back to the processor The processor upon receiving puts these in doing and using register

Byte 3 01010011 Byte 5 10011011 Byte 31 00000001 Byte 33 00000101

Byte 4 00001111 Fetch

interpret

31

update

Byte 32 00000011 Byte 34 00000100

execute Counter gp

31
doing 00000001 using 00000011

Byte 35
00000010

Byte 36
00000101

Memory

Processor Processor puts 31 on address bus

Byte 3 01010011 Byte 5 10011011 Byte 31 00000001 Byte 33 00000101

Byte 4 00001111 Fetch

interpret

31

update

Byte 32 00000011 Byte 34 00000100

execute Counter gp

31
doing 00000001 using 00000011

Byte 35
00000010

Byte 36
00000101

Memory

Processor

Memory sends copies of bytes 31 and 32

Note :

The handshaking process is a typical way in which various parts of computer system interact with one another The request - sent across address bus The results - returned across data bus

2. Interpret
The patterns in the doing and using registers have been interpreted as instructions Load a byte The doing code 00000001 to be load a byte and The using code 00000011 as the address of byte 3 The next processor moves on to execute step

Byte 3 01010011 Byte 5 10011011 Byte 31 00000001 Byte 33 00000101

Byte 4 00001111 Byte 32 00000011 Byte 34 00000100 Fetch

interpret

update

execute Counter gp

31
doing load Processor using 3

Byte 35
00000010

Byte 36
00000101

Memory

Interpret as load byte 3

3. Update
Here 2 has been added to the register so that it holds the address of next instruction in sequence 33

Byte 3 01010011 Byte 5 10011011 Byte 31 00000001 Byte 33 00000101

Byte 4 00001111 Byte 32 00000011 Byte 34 00000100 Fetch

interpret

update

execute Counter gp

33
doing load Processor using 3

Byte 35
00000010

Byte 36
00000101

Memory

Update counter to 33

4. Execute
The instruction load byte 3 is carried out by the processor A copy of the using register (decimal 3) is placed on the address bus by the processor and sent across to memory in binary This request the memory to transfer the processor over the data bus The processor upon receiving places the value 01010011 in the general purpose register This completes the execution The processor moves to next step of fetching the next instruction

Byte 3 01010011 Byte 5 10011011 Byte 31 00000001 Byte 33 00000101

Byte 4 00001111 3 Byte 32 00000011 Byte 34 00000100 Fetch

interpret

update

execute Counter gp

33
doing load Processor using 3

Byte 35
00000010

Byte 36
00000101

Memory

Processor puts 3 on address bus

Byte 3 01010011 Byte 5 10011011 Byte 31 00000001 Byte 33 00000101

Byte 4 00001111 Byte 32 00000011 Byte 34 00000100 Fetch

interpret

update

execute Counter gp

33
doing load

01010011
using 3 Processor

Byte 35
00000010

Byte 36
00000101

Memory

Memory sends copy of byte 3

Byte 3 01010011 Byte 5 10011011 Byte 31 00000001 Byte 33 00000101

Byte 4 00001111 33 Byte 32 00000011 Byte 34 00000100 Fetch

interpret

update

execute Counter gp

33
doing load

01010011
using 3 Processor

Byte 35
00000010

Byte 36
00000101

Memory

Processor puts 33 on address bus

Byte 3 01010011 Byte 5 10011011 Byte 31 00000001 Byte 33 00000101

Byte 4 00001111 33 Byte 32 00000011 Byte 34 00000100 Fetch

interpret

update

execute Counter gp

33
doing 00000101

01010011
using 00000100

Byte 35
00000010

Byte 36
00000101

Memory

Processor Memory sends copies of bytes 33& 34

Byte 3 01010011 Byte 5 10011011 Byte 31 00000001 Byte 33 00000101

Byte 4 00001111 4 Byte 32 00000011 Byte 34 00000100 Fetch

interpret

update

execute Counter gp

35
doing Subtract

01010011
using 4

Byte 35
00000010

Byte 36
00000101

Memory

Processor Processor puts 4 on address bus

Byte 3 01010011 Byte 5 10011011 Byte 31 00000001 Byte 33 00000101

Byte 4 00001111 4 Byte 32 00000011 Byte 34 00000100 Fetch

interpret

update

execute Counter gp

35
doing Subtract

01000100
using 4

Byte 35
00000010

Byte 36
00000101

Memory

Processor

Processor puts 33 on address bus 0101011 00001111 = 01000100

Byte 3 01010011 Byte 5 10011011 Byte 31 00000001 Byte 33 00000101

Byte 4 00001111 35 Byte 32 00000011 Byte 34 00000100 Fetch

interpret

update

execute Counter gp

35
doing 00000010

01000100
using 00000101

Byte 35
00000010

Byte 36
00000101

Memory

Processor Processor puts 33 on address bus

Byte 3 01010011 Byte 5 10011011 Byte 31 00000001 Byte 33 00000101

Byte 4 00001111 5 Byte 32 00000011 Byte 34 00000100 Fetch

interpret

update

execute Counter gp

35
doing Store

01000100
using 5

Byte 35
00000010

Byte 36
00000101

Memory

Processor Processor puts5 on address bus

This time the processor receives a byte. The processor achieves this by using the third bus that is the control bus by setting a special write enable signal on that third bus write action rather than a read action The process then goes on

Memory and Processor Address and data buses Format of Instructions The stored program concept The processor mechanisms