±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36317
New Yesterday: 0 Visitors: 188

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Recording BIOS settings..?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

andy1500mac
Senior Member
 

Recording BIOS settings..?

Post Posted: Mar 20, 05 18:48

Hi all,

Is there a forensically sound way to record the BIOS information? As the hotkeys to enter the BIOS settings change depending on manufacturer and are not visible unless a reboot is done, what if any are the procedures?

If a machine was shutdown to begin with and the plan was to remove and image the drive…would you even bother with the BIOS?

I ask because I occasionally come across discussions, articles and the such stating that time, boot order and HDD info be recorded from the BIOS if at all possible..

Thanks for any clarification,
Andrew.  
 
  

Andy
Senior Member
 

Re: Recording BIOS settings..?

Post Posted: Mar 20, 05 20:03

Always remove either the data cable (or power cable) from the HDD before attempting to access the BIOS. Then it’s a matter of seeing what output message you get on the monitor. Most of the time the BIOS key will be the DEL key, however depending on the BIOS manufacturer it may change. It won’t be anything more elaborate than F2, F10 or F12..... Or you may have to implement the Vulcan death grip method (i.e. pressing several combinations at once).

As long as the data/power cables are out of the equation you can try many combinations till you get it right.

Accessing the BIOS for the RTC (Real Time Clock) settings is a fundamental part of the Forensic Computing examination. You need to do this to establish whether the clock is correct, or out - thus when you refer to timestamps on relevant files subsequently used as evidence, you can state are likely to be correct. Or if the timestamp is off you can calculate the difference.

For example: - there is nothing worse than producing evidence to say at a certain time your suspect created illegal or incriminating files (and you haven't examined the BIOS and discovered the clock slow by 2 weeks), only for your suspect to prove he was on vacation at the time and out of the country....... It couldn't have been he/she that did it......You get the picture?

Sometimes it can be an art form, especially when the BIOS is password protected (but that’s another topic in its own right).

If you simply cannot access the BIOS for what ever reasons, but the machine is set to boot to the ‘a:’ drive, you can always boot to a Windows 98 boot disk and type “time” and “date” at the command prompt to access the BIOS RTC through DOS.

In repect of checking the boot sequence - you will need to do this if you intend using a boot disk - pretty obvious. If you are removing the drive to image with Fastbloc then its not that imperative.

Alway document everything you do comprehensively and contemporaneously, with enough detail for an independent third party to retrace your steps and come to the same conclusions (ACPO principle 3). Don't forget that your notes could possibly become legal documents used in criminal or civil cases, thus can be disclosed to the other side for close scrutiny.


Andy  
 
  

andy1500mac
Senior Member
 

Re: Recording BIOS settings..?

Post Posted: Mar 20, 05 22:24

Thanks for the thorough response…much appreciated.

Andrew  
 
  

pvissers
Member
 

Re: Recording BIOS settings..?

Post Posted: Mar 21, 05 09:33

Great answer, Andy!

I have one add-on:

Sometimes it's essential the subject does not know an image has been made. Some BIOS-ses give a beep when the cover has been open (some models of Dell and Compaq for example). This can be a legitimate reason to boot the PC (after the image has been made of course) and so avoid the notice. In 99% of those cases you can shut down the boot sequence before the OS loads anyway. But in either case, record what you have done and don't do it alone Wink

Regards,
Pepijn
_________________
--
P. Vissers
Independent Post and Telecommunications Authority
Netherlands 
 
  

neddy
Senior Member
 

Re: Recording BIOS settings..?

Post Posted: Mar 21, 05 12:08

I thought booting to a Win98 disc to record time & date would alter some data and a forensic boot disk should be used instead (EnCase boot disk).  
 
  

pvissers
Member
 

Re: Recording BIOS settings..?

Post Posted: Mar 21, 05 14:15

true. the above scenario is *after* a forensic image has been created, which you ideally do on your own machine after removing the disk(s) from the subjects machine.
_________________
--
P. Vissers
Independent Post and Telecommunications Authority
Netherlands 
 
  

Andy
Senior Member
 

Re: Recording BIOS settings..?

Post Posted: Mar 21, 05 15:35

Hi neddy, you asked:

I thought booting to a Win98 disc to record time & date would alter some data and a forensic boot disk should be used instead (EnCase boot disk).


Yes, you are correct. Theoretically you should use a 'forensic' boot disk, with references/calls to the C: drive edited from the IO.sys and Command.com (and delete DRVSPACE.bin).

However if (like I said initially) you have removed the power or data cable from the HDD, then it doesn't matter, a plain & simple Windows 98 boot disk will do. As you will not write any data to the suspect drive, nor will this activity alter any of the BIOS settings.

Remember its the BIOS settings held in the CMOS that are required, not data from the HDD. At least not at this stage.....

Andy  
 

Page 1 of 1