Hello guys,
First of all I want to thank everyone for the answers, suggestions and links you have sent me. Maybe I was wrong to ask my questions without clarifying the problem I'm analyzing, leaving you doubts about why I did some sort of questions about INT13, real mode, and so on.
As you well know, when connecting a memory device (hard drive, USB stick) to a PC, user data may be subject to change. Just think of the variation under the "date modified" field of the timestamp of a file.
In the forensic field, this is not accepted. As a result, it is necessary to capture the image of the suspect drive, frozen at the time of the police seizure.
For this reason, devices known as Write Blocker are used, which allow the acquisition of information on a drive without creating the possibility of accidentally damaging (writing) the drive contents.
I'm studying the implementation of such a device on a PC. Actually, the writing block at kernel level at this time has been resolved. But there remains the doubt that, for any accidental event (that i don't know), the suspect device may be affected by user data.
For this reason I asked, in my previous email, if there is interaction between BIOS and KERNEL. Correctly Zoran, adding the picture, has shown that there may be cases where the Kernel grants the BIOS the ability to perform some services (I think using the INT13).
Then I ask you:
is there a way to disable this BIOS function? More precisely, coreboot can be set to avoid receiving commands from GRUB and Ubuntu KERNEL?
I hope I've been clear this time.
Thanks for your patience
Best Regards.
Vincenzo.
Forensic Consultant Tribunale di Lecce
Studio: Strada di Garibaldi - Contrada Paradisi 73010 Lequile (LE)
cell: 339.7968555 skype: vincenzo.di_salvo
Hi,
Don't worry, x86 is hard to understand IMO. I often feel like an archaeologist when trying to understand it.
Am Sonntag, den 03.09.2017, 00:32 +0200 schrieb ingegneriaforense@alice.it:
is there a way to disable this BIOS function? More precisely, coreboot can be set to avoid receiving commands from GRUB and Ubuntu KERNEL?
cb itself can't receive commands from the OS. The payload, especially SeaBIOS can through interrupts. Choosing a payload which only starts the Kernel (FILO) should make it impossible for the OS to call BIOS- code.
Of course modern boards still have the Management-engine which can do anything behind the OS.
P.
is there a way to disable this BIOS function? More precisely, coreboot
can be set to avoid
receiving commands from GRUB and Ubuntu KERNEL?
If you build the following structure (please, do understand that this is very high level of presentation, which does not reflect reality 100%) on x86 architecture: FSP -> Coreboot -> Tiano Core [as payload], you might be able to avoid any/entirely legacy INT services.
In nutshell, Tiano Core dies after it passes control to the GRUB2. But... There are so called "run-time services" that Tiano Core sets, and passes them to Linux/WIN and these are alive through the life of the entire system.
I have no idea what these run time services are, actually (might be reminiscences of INT legacy...)! :-(
The similar use case if you use UEFI (so CSM is set OFF). Still, the same question remains: what are (WTF/WTH) "run time services"?
The other use cases are to do NSF mounting to these devices, but with Read ONLY attributes (on remote ARM system). So then you can copy files over to x86 based host system (having admin/root privileges) and inspect them, preserving (not compromising) originals.
All respective to x86 use cases.
You can also use Rpi 3, and mount these devices as RO (as already suggested). But this will not give you NTFS clear file accesses (for WIN HDD/SSD and USB storage systems).
I hope I've been clear this time.
Well... I hope this clearly helps this time.
Zoran
On Sun, Sep 3, 2017 at 12:32 AM, ingegneriaforense@alice.it < ingegneriaforense@alice.it> wrote:
Hello guys,
First of all I want to thank everyone for the answers, suggestions and links you have sent me. Maybe I was wrong to ask my questions without clarifying the problem I'm analyzing, leaving you doubts about why I did some sort of questions about INT13, real mode, and so on.
As you well know, when connecting a memory device (hard drive, USB stick) to a PC, user data may be subject to change. Just think of the variation under the "date modified" field of the timestamp of a file.
In the forensic field, this is not accepted. As a result, it is necessary to capture the image of the suspect drive, frozen at the time of the police seizure.
For this reason, devices known as Write Blocker are used, which allow the acquisition of information on a drive without creating the possibility of accidentally damaging (writing) the drive contents.
I'm studying the implementation of such a device on a PC. Actually, the writing block at kernel level at this time has been resolved. But there remains the doubt that, for any accidental event (that i don't know), the suspect device may be affected by user data.
For this reason I asked, in my previous email, if there is interaction between BIOS and KERNEL. Correctly Zoran, adding the picture, has shown that there may be cases where the Kernel grants the BIOS the ability to perform some services (I think using the INT13).
Then I ask you:
is there a way to disable this BIOS function? More precisely, coreboot can be set to avoid receiving commands from GRUB and Ubuntu KERNEL?
I hope I've been clear this time.
Thanks for your patience
Best Regards.
Vincenzo.
Forensic Consultant Tribunale di Lecce
Studio: Strada di Garibaldi - Contrada Paradisi 73010 Lequile (LE)
cell: 339.7968555 <(339)%20796-8555> skype: vincenzo.di_salvo
-- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
-
ingegneriaforense@alice.it -
Philipp Stanner -
Zoran Stojsavljevic