[coreboot] INT 13, real mode, block write commands and coreboot
ingegneriaforense at alice.it
ingegneriaforense at alice.it
Thu Sep 7 20:02:16 CEST 2017
Dear Vincent,
dear guys
thanks very much for your reply.
>I don't own a raspi, just another SBC like it.
I think that the embedded solution is the best.
However, Raspberry hasn't SATA ports, only USBs.
Please, can you suggest me a SBC like Raspy that also allows SATA connections (eSATA) ? Important is that the SBC support UBUNTU / UBUNTU-like O.S.
>There is no PC BIOS on it, there is firmware for booting, but (I may be wrong) it is not active after boot.
In fact, this is the important thing; I need of a system whose firmware for booting is not active after boot.
>The automounting of partitions is a property of the operating system, so you should make sure to disable it if you don't want your usb keys to be automounted
Ok, I'm agree with you. I have no problem to block the automounting for UBUNTU / UBUNTU-like O.S. In fact my aim is to use:
dd if=/dev/sdX of=$HOME/usbkeyimage.raw bs=1M
to make an image of the suspect drive.
I hope to hear you soon.
Thanks in advance.
Best Regards.
Vincenzo.
Forensic Consultant
Tribunale di Lecce
Studio: Strada di Garibaldi - Contrada Paradisi
73010 Lequile (LE)
cell: 339.7968555
skype: vincenzo.di_salvo
----Messaggio originale----
Da: vincent.legoll at gmail.com
Data: 5-set-2017 9.57
A: "ingegneriaforense at alice.it"<ingegneriaforense at alice.it>, "Coreboot"<coreboot at coreboot.org>
Ogg: Re: [coreboot] INT 13, real mode, block write commands and coreboot
Hello,
Please keep the discussion on-list, for the sake of others searching for
the same infos.
On Tue, Sep 5, 2017 at 7:43 AM, ingegneriaforense at alice.it
<ingegneriaforense at alice.it>
>>Plug it in, dump it without mounting any eventual partitions, and you're
> done.
> You can derive from threre for other interfaces like SATA...
>
> Please, about Raspberry, are you sure that plugging a usb drive into it, any
> partitions will not be mounting ? Maybe you have the Raspberry and you have
> noticed this behavior ?
I don't own a raspi, just another SBC like it. There is no PC BIOS on
it, there is
firmware for booting, but (I may be wrong) it is not active after boot.
The automounting of partitions is a property of the operating system, so you
should make sure to disable it if you don't want your usb keys to be
automounted,
Just search in the docs of your linux distribution of choice for a way
to do that,
should be fairly straightforward.
(subjects to search: automount, udev, systemd, sysv-init, etc...)
> I'll check to understand better the raspberry chain: BIOS->PAYLOAD->KERNEL
> contacting the Raspberry technical support.
I don't think you'll met a lot of ARM SBCs with coreboot, they are mostly using
the u-boot bootloader.
But the important thing for you is that the firmware is not used after
boot and that
the OS don't touch the HW. So, as long as the USB key is only plugged
after boot,
the firmware won't have the chance to touch it.
After that a simple:
dd if=/dev/sdX of=$HOME/usbkeyimage.raw bs=1M
and you should have a copy of it to search what you're after.
If you're paranoid, make three distinct copies, sha256sum the key, etc...
You should learn how to use those tools.
But beware this is only scratching the surface, if you're after someone who
knows his thing, you'll have to eventually go deeper, as some disk firmwares
have already been modified to hide some data even from the OS.
--
Vincent Legoll
--
coreboot mailing list: coreboot at coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170907/0260e76f/attachment.html>
More information about the coreboot
mailing list