encoding

Security Concepts

Definition

Encoding is the process of **transforming data into a different format** so it can be safely stored, transmitted, or processed by a system — without changing its actual meaning.

It’s not encryption (which is meant to hide information) and it’s not compression (which is meant to make things smaller). Encoding is about **compatibility and safe transport**.

Examples you’ve probably seen:

* **Base64** – Turns binary data into text characters so it can be sent in email or embedded in scripts.
* **URL encoding** – Replaces unsafe characters in URLs (`space` → `%20`) so web browsers can handle them.
* **Character encoding** – Defines how letters and symbols are represented as bytes (UTF-8, ASCII).

In cybersecurity investigations, encoding is important because:

* Attackers often encode malicious payloads to bypass filters or avoid detection (e.g., a PowerShell script encoded in Base64).
* Data exfiltration might use encoding to hide in plain sight (e.g., sensitive data sent in a URL query string but encoded to look harmless).
* Decoding suspicious strings is a common analysis step to reveal the actual command, file, or URL.

Example of Base64 encoding:

```
Text: Hello
Base64: SGVsbG8=
```

If an attacker sends `SGVsbG8=` in a script, it’s just “Hello” once decoded.

Real-world examples:

* Many phishing kits deliver payloads via `powershell.exe -enc <Base64String>` to hide the real script from plain sight.
* Malware families like Emotet and Agent Tesla encode stolen credentials before sending them back to the attacker.
* Web shell uploads may be Base64-encoded to evade simple keyword-based detection.

### Encoding v. Encryption

Encoding and encryption both change the way data looks, but they serve very different purposes and have very different security implications.

**Encoding**

* **Purpose:** Make data compatible for storage or transmission
* **Goal:** Ensure systems can handle the data without altering its meaning
* **Key needed to read it?** No — anyone can decode it using the defined method
* **Security benefit:** None — it’s not meant to hide data, just format it
* **Example:** Base64 turns `Hello` into `SGVsbG8=` so it can be safely sent in an email

**Encryption**

* **Purpose:** Protect data from unauthorized access
* **Goal:** Make the data unreadable to anyone without the correct key
* **Key needed to read it?** Yes — you must have the decryption key
* **Security benefit:** Strong — keeps data confidential if implemented properly
* **Example:** AES encryption turns `Hello` into unreadable ciphertext like `q1w2e3r4t5...` that you can’t reverse without the right key

Quick analogy:

* Encoding is like writing a note in all caps so it’s easier to read from far away — the message is still public.
* Encryption is like locking the note in a safe — without the key, no one can see what it says.

In cybersecurity investigations, this distinction matters because:

* If you find **encoded** malicious commands (e.g., Base64 in PowerShell), you can decode them easily to see the payload.
* If you find **encrypted** data being exfiltrated, you may not be able to see what’s inside without the key — but the mere fact it’s encrypted might be suspicious if it’s going somewhere it shouldn’t.

encoding

Definition

Explore More Terms