Hello guys,
First of all I want to thank everyone for the answers, suggestions and links you have sent me.
Maybe I was wrong to ask my questions without clarifying the problem
I'm analyzing, leaving you doubts about why I did some sort of
questions about INT13, real mode, and so on.
As you well know, when connecting a memory device (hard drive, USB stick) to a PC, user data may be subject to change.
Just think of the variation under the "date modified" field of the timestamp of a file.
In the forensic field, this is not accepted. As a result, it is necessary to capture the image of the suspect drive, frozen at the time of the police seizure.
For this reason, devices known as Write Blocker are used, which
allow the acquisition of information on a drive without creating the
possibility of accidentally damaging (writing) the drive contents.
I'm studying the implementation of such a device on a PC. Actually, the writing block at kernel level at this time has been resolved.
But there remains the doubt that, for any accidental event (that i don't know), the suspect device may be affected by user data.
For this reason I asked, in my previous email, if there is interaction between BIOS and KERNEL. Correctly Zoran, adding the picture, has shown that there may be
cases where the Kernel grants the BIOS the ability to perform some
services (I think using the INT13).
Then I ask you:
is there a way to disable this BIOS function? More precisely, coreboot can be set to avoid receiving commands from GRUB and Ubuntu KERNEL?
I hope I've been clear this time.
Thanks for your patience
Best Regards.
Vincenzo.
Forensic Consultant
Tribunale di Lecce
Studio: Strada di Garibaldi - Contrada Paradisi
73010 Lequile (LE)
cell: 339.7968555
skype: vincenzo.di_salvo