Forensic Analysis of BIOS Chips

  • Pavel Gershteyn
  • Mark Davis
  • Sujeet Shenoi
Conference paper
Part of the IFIP Advances in Information and Communication book series (IFIPAICT, volume 222)

Abstract

Data can be hidden in BIOS chips without hindering computer performance. This feature has been exploited by virus writers and computer game enthusiasts. Unused BIOS storage can also be used by criminals, terrorists and intelligence agents to conceal secrets. However, BIOS chips are largely ignored in digital forensic investigations. Few techniques exist for imaging BIOS chips and no tools are available specifically for analyzing BIOS data.

This paper focuses on the Award BIOS chip, which is commonly used in IBM compatible machines. It demonstrates how data may be concealed within BIOS free apace and modules in a manner that makes it accessible using operating system commands. Furthermore, forensically sound techniques are described for detecting and recovering concealed data from BIOS chips.

Keywords

BIOS chips Award BIOS data concealment evidence recovery 

References

  1. [1]
    BIOS Central (www.bioscentral.com).Google Scholar
  2. [2]
    BIOSMods (www.biosmods.com).Google Scholar
  3. [4]
    P. Croucher, The BIOS Companion, Electrocution Publishers, Calgary, Alberta, Canada, 1998.Google Scholar
  4. [5]
    M. Darmawan, Award BIOS reverse engineering (www.codebreak ers-journal.com/viewarticle.php?id=38), 2004.Google Scholar
  5. [6]
    M. Darmawan, Award BIOS code injection (www.codebreakers-journal.com/viewarticle.php?id=58), 2005.Google Scholar
  6. [7]
    D. Dunn, BIOS basics (freepctech.com/articles/articles.php?Article Id=122), 2002.Google Scholar
  7. [8]
    W. Gatliff, Implementing downloadable firmware with flash memory, in The Firmware Handbook, J. Ganssle (Ed.), Elsevier, Burlington, Massachusetts, pp. 285–297, 2004.CrossRefGoogle Scholar
  8. [9]
    Gen-X-PC, BIOS info (www.gen-x-pc.com/BIOS_info.htm).Google Scholar
  9. [10]
    P. Gershteyn, M. Davis, G. Manes and S. Shenoi, Extracting concealed data from BIOS chips, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, New York, pp. 217–230, 2005.Google Scholar
  10. [11]
    J. Hill, AwardMod (sourceforge.net/projects/awardmod), 2002.Google Scholar
  11. [12]
    IOSS, RD1 BIOS Savior (www.ioss.com.tw), 2000.Google Scholar
  12. [13]
    C. Kozierok, System BIOS (www.pcguide.com), 2001.Google Scholar
  13. [14]
    K. Mandia, C. Prosise and M. Pepe, Incident Response and Computer Forensics, McGraw-Hill/Osborne, Emeryville, California, 2003.Google Scholar
  14. [15]
    G. Mohay, A. Anderson, B. Collie, O. deVel and R. McKemmish, Computer and Intrusion Forensics, Artech House, Norwood, Massachusetts, 2003.Google Scholar
  15. [16]
    Phoenix Technologies, System BIOS for IBM PCs, Compatibles and EISA Computers (2nd Edition), Addison-Wesley Longman, Boston, Massachusetts, 1991.Google Scholar
  16. [17]
    Rainbow Software, Uniflash (www.uniflash.org), 2005.Google Scholar
  17. [18]
    D. Sedory, Removing the mystery from segment:offset addressing (thestarman.dan123.com/asm/debug/Segments.html), 2004.Google Scholar
  18. [19]
    R. Sevko, Editing the BIOS (www.winsov.ru/sios002.php), 2003.Google Scholar
  19. [20]
    J. Tyson, How BIOS works (computer.howstuffworks.com/bios. htm).Google Scholar
  20. [21]
    A. Wong, Breaking Through the BIOS Barrier: The Definitive BIOS Optimization Guide for PCs, Prentice Hall, Indianapolis, Indiana, 2004.Google Scholar

Copyright information

© IFIP Internatonal Federation for Information Processing 2006

Authors and Affiliations

  • Pavel Gershteyn
    • 1
  • Mark Davis
    • 1
  • Sujeet Shenoi
    • 1
  1. 1.University of TulsaTulsaUSA

Personalised recommendations