Does anyone have any tool recommendations for imaging and investigating the bios of a PC?
I need to investigate data which is stored on the bios which will not be shown in the usual "F2 on boot" screen.
I read in previous posts the tool ProDiscover can be used. Are there any other tools which are now preferred?
What would be the best tool to analyse the data once imaged?
Any input would be very much appreciated
Does anyone have any tool recommendations for imaging and investigating the bios of a PC?
I need to investigate data which is stored on the bios which will not be shown in the usual "F2 on boot" screen.I read in previous posts the tool ProDiscover can be used. Are there any other tools which are now preferred?
What would be the best tool to analyse the data once imaged?
Any input would be very much appreciated
It's a strange request. 😯
It is very difficult for a "common user" to modify contents of a BIOS, with the exception - maybe - of changeing the boot logo.
Which kind of data do you expect to find in it?
Normally the BIOS manufacturer provides a BIOS flashing utilities that has, among it's features, a provision to image the current BIOS before the update.
Then you can try using one (or more than one) of the several "BIOS modding tools" to interpret - at least partially - the data in the image.
Examples
http//
To find suitable flashing tools, this is normally a good start point
http//
jaclaz
The best approach, if you have physical access to the system, may be to interrupt the boot sequence and record what you see in the BIOS using a video camera.
This is for potential malware analysis purposes.
I need to eliminate possibilities of any infection in the bios.
I always thought that the Ring Zero virus that embedded itself into the BIOS so that it could survive system formats was an Urban Legend. considering the large amount of different BIOS's out there, there is no way that a virus of that kind could work, surely?
This is for potential malware analysis purposes.
I need to eliminate possibilities of any infection in the bios.
How old is the PC? What OS is it running? Does it have a floppy drive - and is there evidence it has been used?
I haven't seen anything referring to BIOS malware lately…but I've seen MBR infectors.
What research have you done with respect to BIOS-based malware?
Does anyone have any tool recommendations for imaging and investigating the bios of a PC?
I need to investigate data which is stored on the bios …
Not sure I follow. BIOS is a mixture between parts of the IO.SYS file, and the ROM-based code (which contain the really low-level driver code for CON, PRN, AUX, CLOCK$ and disk devices – at least in the old bad days). IO.SYS … easy enough. ROM-based code … easy enough, too, I should think. If you want to investigate that, get a good disassembler (I like Ida Pro), and one of these 'Advanced PC Programming' style books from the late 1980s to help you through it. (Perhaps also an Intel x86 Software Manual to get your head around the various addressing modes …)
If you want to investigate the NVRAM where BIOS configuration is stored, … that could be trickier. It's an external device, so you need to do it by IN/OUT instructions (or used to … perhaps things have changed.)
There's some useful info in the documentation to the bochs emulator – see for example http// bochs . sourceforge . net / techspec / CMOS-reference.txt . (Also look for Ralph Brown's BIOS interrupt list – it used to have lots of information on BIOS-related things.)
But originally all this was designed to be OEM-specific, and so would depend on who you got your PC from. You got it from IBM, NVRAM was one size, you got it from someone else, NVRAM was a different size. You messed with NVRAM only at your peril – you were supposed to access it through BIOS calls, or at least by verifying that you were running on a known BIOS first.
Nowadays, I'd expect NVRAM layout to be fairly standardized – but you probably need to go to Phoenix Technologies or other existing low-level BIOS providers to get at any documentation.
(Added Doesn't one of these BIOS inventory programs – InfoPlus or what they were called – read and interpret results from syscalls etc? That could be an additional source of information – I think the Pascal code used to be available…)
This is for potential malware analysis purposes.
I need to eliminate possibilities of any infection in the bios.
With all due respect, this makes little sense. roll
Let's say that you have motherboard model w, from maker x, using BIOS made by y, using release z of the BIOS.
There are as many w, x and z than stars in the sky (whilst y amounts to a handful).
My guess is that is in practice impossible to develop a tool capable of interpreting all of them.
You don't really want to check the actual BIOS contents 😯 (disassembling and making sense of a 1 Mb BIOS is not something for the faint of heart, nor for the - no offence whatever intended ) - newbie - as if you are already an expert you already know what to do and how to do it and need not to post the question on the Forum)
What would make sense would be - without attempting to interpret the data in the BIOS - to dump it and compare it with the same release file, normally available from the board manufacturer, or compare it with the dump of the BIOS of another identical motherboard surely not tampered with.
That is unless you are suspecting that the "potential malware" is injected in the BIOS code in the factory or by the distributor or the like.
jaclaz
many thanks for all your responses, I got the information I was looking for.