In the previous installment of this series, we gathered information about the target system by reviewing its BIOS setup. However, a suspect's BIOS might be password-protected. In this post, we'll look at how to get into a password-protected BIOS. We'll also move to the next step in the electronic forensics process -- preparing the forensics drives for analysis.
Obviously, the best way to get the BIOS password is to ask the suspect. The problem is that he or she might not be too willing to help the investigator gather evidence against him or her. Other options for retrieving the password include:
- BIOS password crackers: As long as the investigator can run an operating system on the target machine, software such as Password Reminder can be used to retrieve the password. Systems protected by biometrics might resist this technique.
- Use of backdoor passwords: Many BIOS manufacturers include backdoor BIOS passwords. Although bad news for users or organizations relying on BIOS security to protect endpoint devices, this is good news for investigators. Tech FAQ is a good resource for this information.
- Contacting the manufacturer: In some cases, BIOS manufacturers can be a good source for information on how to reset or bypass the password. The investigator should be prepared to provide verification of his or her identity.
- Following manufacturer instructions for using jumpers to reset the BIOS: This approach has its own challenges. Using reset jumpers might change information the investigator needs for his investigation. Once again, Tech FAQ is a good place to start if going down this path. This should be the recovery method of last resort.
Once the target system's setup information is retrieved, it's time to begin analyzing data on its internal hard drives. The most important rule to remember is to not conduct forensics analysis on the original media. A true copy of the data on the target system's drives must be made for analysis purposes. This helps the investigator demonstrate that no actions were taken that might have inadvertently altered the original state of the media evidence in the event the defense is allowed to conduct its own analysis.
The following steps must be taken to create forensics copies:
- Prepare the drives to which the data will be copied: The investigator must be able to demonstrate that no remanent data remained on the forensics drives prior to copying data to them. One of the best ways to accomplish this is by overwriting the drive with patterns of bits. A good disk sanitation tool is KillDisk. KillDisk supports the Department of Defense standard (DoD 5220.22-M) and Peter Gutmann's recommended approach to dealing with data remanence.
- Write protect the original disk: Before connecting the original disk to a live forensics system, the investigator must take steps to prevent it from being written to. Write blockers are a good solution. They ensure data is not written to the drive, and they are easily documented as the method used.
- Execute a bit-level copy from the original disk to a prepared forensics drive: A standard copy of files from one drive to another will not pull information in hidden areas of the disk. (We'll look at these challenges in the next installment of this series.) Only a bit-level copy, such as those created by forensics applications (e.g., EnCase or Helix) or utilities such as dd, is suitable for analysis. Regardless of the utility used, the investigator must ensure that hash values for the contents of the original drive and for the copy are generated. If the hash values match, the copy is an exact replica. The hash values and the process used to make the copy should be clearly documented. Once the copy is created, the original drive should be secured. There shouldn't be any reason to access it in further stages of the analysis process.
- Create a working copy: The forensics copy is a master replica. It should not be used for analysis. Rather, the investigator should create a working copy. The process to create a working copy should be the same as that followed when creating the forensics copy. The forensics copy is kept in reserve in case additional working copies are needed.
In the next installment in this series, we'll look at areas of the disk that might contain "hidden" information valuable to an investigation.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.