Classroom Public page

FND-101 Capstone Specification

840 words

The capstone is one documented "decoded artifact": a real-world byte sequence you analyze by hand and explain in writing. You pick the file; you decode it against the public specification; you write up what each byte means.

What you ship

A Git repository containing:

  1. The target file (original, unmodified): the binary you analyzed. Must be one of the approved formats listed below.
  2. hex-dump.txt: the output of xxd your_file | head -80 (first 80 lines of the hex dump, or the complete dump if the file is small enough to fit).
  3. annotation.txt: your byte-by-byte annotation. One entry per logical field in the file header. Format: byte offset: hex value -> what this field means.
  4. decoding-report.md: the written report (400-800 words). See structure below.

Repository naming convention: fnd101-capstone-{your-name} (lowercase, hyphens, no spaces). Example: fnd101-capstone-jamie-smith.

Approved file formats

Choose ONE:

Option A: PNG image

  • Any PNG you have on your computer, or any small PNG from a free image source
  • Specification: http://www.libpng.org/pub/png/spec/iso/index-object.html (focus on §11.2 IHDR chunk: width, height, bit depth, color type)
  • What to decode: the 8-byte PNG signature + the IHDR chunk header (length, type, data, CRC)

Option B: ZIP archive

  • Any ZIP file you create with zip test.zip some_file.txt
  • Specification: PKWARE APPNOTE at https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT (focus on §4.3: Local File Header)
  • What to decode: the Local File Header fields (signature, version needed, flags, compression method, filename length, filename)

Option C: GZIP file

  • Any file compressed with gzip file.txt (produces file.txt.gz)
  • Specification: RFC 1952 at https://www.rfc-editor.org/rfc/rfc1952 (focus on §2.2: Member format)
  • What to decode: the 10-byte GZIP header (magic bytes, method, flags, modification time, OS byte)

Option D: ELF executable (Linux/macOS)

  • Any Linux executable: /bin/ls or /usr/bin/python3
  • Specification: man page man 5 elf (Linux) or Wikipedia "Executable and Linkable Format" (focus on ELF header, first 64 bytes)
  • What to decode: the ELF identification bytes (magic, class, endianness, version, OS/ABI), type, machine, entry point

Option E: Another format you propose

  • Email interested@virtuscyberacademy.org with the format name and specification URL before starting. The course team will confirm within 48 hours.

The annotation format

In annotation.txt, annotate every logical field in the section you are decoding. Use this format:

Offset  Size    Hex     Value/Meaning
------  ------  ------  -----------------------------------------------
0x00    1 byte  0x89    Non-ASCII byte; signals binary file to terminals
0x01    3 bytes 504E47  ASCII 'P', 'N', 'G' -- the format identifier
0x04    1 byte  0x0D    Carriage return (CR, Windows line ending style)
0x05    1 byte  0x0A    Line feed (LF, Unix line ending style)
0x06    1 byte  0x1A    Ctrl-Z; stops 'type' command on DOS
0x07    1 byte  0x0A    Line feed; detects corruption of CR-LF pairs

(This example is for the PNG signature. Your annotation covers the specific format you chose.)

You do not need to decode the entire file, only the header section specified in the format guide above. Typically 16-64 bytes.

The decoding report

Write decoding-report.md in plain English. Structure it with these five sections:

1. What I decoded (50-100 words)

Name the file format, what the file contains, and which specific bytes you annotated. Example: "I decoded the PNG image signature and IHDR chunk of a 200x150 pixel screenshot. The IHDR chunk occupies bytes 8-28 and specifies the image dimensions, bit depth, and color type."

2. How I found the specification (50-100 words)

Where did you find the format specification? What search terms did you use? Was the specification easy or hard to follow? What section did you use?

3. What each field means (150-250 words)

For the most interesting 3-5 fields in your annotation: explain what the field does and why it exists. Not just "this byte is the compression method" but "this byte tells the decompressor which algorithm to use when expanding the file; a value of 8 means DEFLATE, which is the same algorithm used in ZIP files."

4. What surprised me (50-100 words)

One thing in the byte sequence that you did not expect, or that clarified something you previously misunderstood.

5. What I could decode next (50-100 words)

What is the next section of the file after the header you decoded? What would you need to learn to decode it?

Success criteria

Your capstone is graded on three things:

  1. Correctness. Your annotation matches what the specification says. The byte offsets are accurate; the field values are read correctly from the hex dump.

  2. Explanation. Your decoding report explains what each field means in plain English that someone without the specification could follow. You can explain why the field exists, not just what its value is.

  3. Repository hygiene. Your Git repository is well-organized; the files listed above are all present; the commit history shows at least 3 commits (you did not do all the work in one commit).

There is no minimum file complexity. A correctly decoded and clearly explained 8-byte PNG signature earns full credit.

What the capstone does NOT require

  • No programming: you are reading bytes and writing prose, not writing a parser
  • No advanced cryptanalysis: the fields you are decoding are plaintext header fields, not encrypted data
  • No original tool development: xxd, a text editor, and the public specification are all you need
  • No decoding the entire file: decode the header section only (the first 16-64 bytes)

Timeline for week 12

  • Day 1: choose your format; read the specification section; produce the hex dump
  • Days 2-3: complete the annotation in annotation.txt
  • Day 4: write the first draft of decoding-report.md
  • Day 5: revise; verify the Git repository is complete; check against this spec
  • Day 6: submit

Submission

Push your capstone repository to GitHub or GitLab and email the URL to interested@virtuscyberacademy.org with subject FND-101 capstone, {your-name}. The course team replies within 7 days with the grade and brief feedback.

Capstone specification v0.1.