Big-Endian

Big-Endian describes the order in which a computer stores binary data.  With Big-Endian, the most significant byte is stored first.  For the hex (base 16) number 0xA0B0C0D0, Big-Endian would store the bytes as follows:

• A0B0 C0D0

However, Little-Endian would store the least significant byte first, resulting in:

• C0D0 A0B0

Relevance to computer forensics

In computer forensics, how data is stored on a drive is crucial information.  Often, analysts will have to look at raw data in a hex editor and thus how the information is written to disk is very important.

Overview of systems that use Big-Endian and Little-Endian

Most Intel-based computers (x86, AMD, etc.) use Little-Endian.  Non-Intel based Apple computers and other RISC-based processors use Big-Endian.  It is also important to note that network traffic uses Big-Endian ordering.

Etymology of the term

Interestingly, the terms Big-Endian and Little-Endian came from Jonathan Swift’s satirical novel Gulliver’s Travels.  Wikipedia’s article on Endianness has the following information:

“The term big-endian comes from Jonathan Swift’s satirical novel Gulliver’s Travels, where tensions are described in Lilliput and Blefuscu: whereas royal edict in Lilliput requires cracking open one’s soft-boiled egg at the small end, inhabitants of the rival kingdom of Blefuscu crack theirs at the big end (giving them the moniker Big-endians).  The terms little-endian and endianness have a similar intent.”