Join Us!

Recording BIOS sett...
 
Notifications
Clear all

Recording BIOS settings..?  

  RSS
andy1500mac
(@andy1500mac)
Member

Hi all,

Is there a forensically sound way to record the BIOS information? As the hotkeys to enter the BIOS settings change depending on manufacturer and are not visible unless a reboot is done, what if any are the procedures?

If a machine was shutdown to begin with and the plan was to remove and image the drive…would you even bother with the BIOS?

I ask because I occasionally come across discussions, articles and the such stating that time, boot order and HDD info be recorded from the BIOS if at all possible..

Thanks for any clarification,
Andrew.

Quote
Posted : 20/03/2005 6:48 pm
Andy
 Andy
(@andy)
Active Member

Always remove either the data cable (or power cable) from the HDD before attempting to access the BIOS. Then it’s a matter of seeing what output message you get on the monitor. Most of the time the BIOS key will be the DEL key, however depending on the BIOS manufacturer it may change. It won’t be anything more elaborate than F2, F10 or F12….. Or you may have to implement the Vulcan death grip method (i.e. pressing several combinations at once).

As long as the data/power cables are out of the equation you can try many combinations till you get it right.

Accessing the BIOS for the RTC (Real Time Clock) settings is a fundamental part of the Forensic Computing examination. You need to do this to establish whether the clock is correct, or out - thus when you refer to timestamps on relevant files subsequently used as evidence, you can state are likely to be correct. Or if the timestamp is off you can calculate the difference.

For example: - there is nothing worse than producing evidence to say at a certain time your suspect created illegal or incriminating files (and you haven't examined the BIOS and discovered the clock slow by 2 weeks), only for your suspect to prove he was on vacation at the time and out of the country……. It couldn't have been he/she that did it……You get the picture?

Sometimes it can be an art form, especially when the BIOS is password protected (but that’s another topic in its own right).

If you simply cannot access the BIOS for what ever reasons, but the machine is set to boot to the ‘a:’ drive, you can always boot to a Windows 98 boot disk and type “time” and “date” at the command prompt to access the BIOS RTC through DOS.

In repect of checking the boot sequence - you will need to do this if you intend using a boot disk - pretty obvious. If you are removing the drive to image with Fastbloc then its not that imperative.

Alway document everything you do comprehensively and contemporaneously, with enough detail for an independent third party to retrace your steps and come to the same conclusions (ACPO principle 3). Don't forget that your notes could possibly become legal documents used in criminal or civil cases, thus can be disclosed to the other side for close scrutiny.

Andy

ReplyQuote
Posted : 20/03/2005 8:03 pm
andy1500mac
(@andy1500mac)
Member

Thanks for the thorough response…much appreciated.

Andrew

ReplyQuote
Posted : 20/03/2005 10:24 pm
pvissers
(@pvissers)
New Member

Great answer, Andy!

I have one add-on:

Sometimes it's essential the subject does not know an image has been made. Some BIOS-ses give a beep when the cover has been open (some models of Dell and Compaq for example). This can be a legitimate reason to boot the PC (after the image has been made of course) and so avoid the notice. In 99% of those cases you can shut down the boot sequence before the OS loads anyway. But in either case, record what you have done and don't do it alone 😉

Regards,
Pepijn

ReplyQuote
Posted : 21/03/2005 9:33 am
neddy
(@neddy)
Active Member

I thought booting to a Win98 disc to record time & date would alter some data and a forensic boot disk should be used instead (EnCase boot disk).

ReplyQuote
Posted : 21/03/2005 12:08 pm
pvissers
(@pvissers)
New Member

true. the above scenario is *after* a forensic image has been created, which you ideally do on your own machine after removing the disk(s) from the subjects machine.

ReplyQuote
Posted : 21/03/2005 2:15 pm
Andy
 Andy
(@andy)
Active Member

Hi neddy, you asked:

I thought booting to a Win98 disc to record time & date would alter some data and a forensic boot disk should be used instead (EnCase boot disk).

Yes, you are correct. Theoretically you should use a 'forensic' boot disk, with references/calls to the C: drive edited from the IO.sys and Command.com (and delete DRVSPACE.bin).

However if (like I said initially) you have removed the power or data cable from the HDD, then it doesn't matter, a plain & simple Windows 98 boot disk will do. As you will not write any data to the suspect drive, nor will this activity alter any of the BIOS settings.

Remember its the BIOS settings held in the CMOS that are required, not data from the HDD. At least not at this stage…..

Andy

ReplyQuote
Posted : 21/03/2005 3:35 pm
Share: