BIOS/EFI Do we still care?

Got questioned in court as judges - for good reasons - are sometimes technically backlogged. We check BIOS/EFI/UEFI and also the Trusted Platform Module's (TPM), required in native Windows 10 machines, not upgraded from previous) specs.

To miss something is the bigger risk even its time consuming.

Sorry, looks like you've fallen foul of our infamous poll bug! Did you edit one of the options when you created the poll? That usually causes the problem…

Jamie

HI ALL,

Just a quick one? Do you still check BIOS DATE/TIME on computers?

If yes, could you explain your pro-cons of doing or not doing the BIOS.

I personally do not see much point since Windows Date/Time is updated from the server and any manual change it logged in event viewer.

Other point - even if the BIOS is accurate at the time of seizure, it does not mean that it was when the crime was possibly committed, so what is the point.

Have you ever been questioned in court over BIOS?

twisted

It happens that the BIOS (actually the RTC or Real Time Clock module)
https://en.wikipedia.org/wiki/Real-time_clock
is reset because the battery is dead.
This will generally also reset a number of settings in the firmware and usually you have a message at boot time that makes you aware of the issue.
If this is the case, a number of timestamps of files in the filesystem will likely be altered in the booting phase and until the NTP synchronization service will be able to "kick in" and set it correctly (and this won't happen if the computer is not connected to the Internet - and it shouldn't be at examination time).

In theory a user might use for months or years a PC with the date/time set at each boot to (say) 01/01/2010 0000,00 (the BIOS default), with the net result that a large number of files will have a timestamp within (still say) 01/01/2010 0000,01 and 01/01/2010 0321,45 😯 .
The PC might have been not connected to the Internet or have the time service disabled (intentionally) or even corrupted/not working (accidentally)

But the real issue as I see it is that you are assuming several things
1) Only a single OS (the installed one) has been run on the device
2) The OS internet time synchronization service is actually running and is set entirely according to the "default"
3) The Registry and/or Event Log has not been deleted/wiped/tampered with

A statement such as
"At the time the computer was booted up for examination the BIOS (or EFI) settings were accessed and the RTC date and time in the firmware appeared to be accurate and displaying dd/mm/yyyy hhmm,ss." (or appeared to be not accurate as it was displaying dd/mm/yyyy hhmm,ss whilst the correct date/time was dd/mm/yyyy hhmm,ss )

May well be unneeded (and bear no real consequences in the rest of the examination) but it is still a "data point", it indirectly states the exact date time the device was booted up for examination and all in all costs nothing or next to nothing.

So my vote is for the first NO, which is very like a YES. wink

jaclaz

PS I've tried to fix the poll, not sure if it'll work but best I can do at the moment - hopefully there should now be a genuine choice!

Cheers,

Jamie

Just a quick one? Do you still check BIOS DATE/TIME on computers?

If yes, could you explain your pro-cons of doing or not doing the BIOS.

On the basic principle of securing possible evidence (pro or con) while it remains. It's not as if collecting it is particularly costly or cumbersome

I personally do not see much point since Windows Date/Time is updated from the server and any manual change it logged in event viewer.

How do you know? Are you just assuming it is, or have you already verified that it does?

Throwing away useless information once you have verified that is useless, fine.

Throwing away information on an assumption that it is worthless … one wonders what other assumptions you make.

Other point - even if the BIOS is accurate at the time of seizure, it does not mean that it was when the crime was possibly committed, so what is the point.

Well, well, well, … at this point I'm afraid I have to make some assumptions of my own. Sorry about wasted time.

As a kind of tag on to this thread, how much information do record about an exhibit?
So from Make, model, serial number through to BIOS make and revision. More out of my own curiosity to see what others record.

As a kind of tag on to this thread, how much information do record about an exhibit?
So from Make, model, serial number through to BIOS make and revision. More out of my own curiosity to see what others record.

Suggestion make that question into a thread of its own.

Having worked on cases where time is critical, having the time correct at the time of examination is an easier sell than verifying it was set to sync with a time server.

Or even worse, the clock was reset, and the machine was never connected to the internet.
If I didn't check the clock I would be saying "well it was synced to a time server so the clock was accurate" when in all reality that may not be true.

It's always worth checking the clock since it takes a minute and there's virtually no harm in not using the information, but there's plenty if you need it and don't have it.

BIOS and BIOS with UEFI is big difference; (and I do not care that it is not called BIOS with UEFI any more.)

A plain old BIOS will only have her internal clock to deal with, on the other hand some UEFI can reach out and sync prior the OS loading.

It was not court, but we have found malfeasance through UEFI.

HI ALL,

Just a quick one? Do you still check BIOS DATE/TIME on computers?

If yes, could you explain your pro-cons of doing or not doing the BIOS.

I personally do not see much point since Windows Date/Time is updated from the server and any manual change it logged in event viewer.

Other point - even if the BIOS is accurate at the time of seizure, it does not mean that it was when the crime was possibly committed, so what is the point.

Have you ever been questioned in court over BIOS?

twisted