I am reading the Brian Carrier's book on File System Forensics. The topic on Big Endian and Little Endian form of data organization was mentioned. Previously, I thought Big Endian is mainframe method of data organization and Little Endian for PCs. However in the book, PowerPC (Apple) and SunSparc use Big Endian method of data organization.
How do you convert these data formats in the image? Do the forensics tools know that the data organization of the underlying machine?
> How do you convert these data formats in the image?
You don't.
> Do the forensics tools know that the data organization of the underlying machine?
Most tools understand formats, yes.
Although the forensic software programs know how to interprete the data, there are often situations where you need to know whether it is Little or Big Endian.
One example is to get the single entries of a Master File Table or analyzing a MBR to get the size of the volumes.
Sometimes when you have computers with different time zones it could also become important.
Have fun
Chris