Extracting Concealed Data from BIOS Chips

The practice of digital forensics demands thorough, meticulous examinations of all data storage media seized in investigations. However, BIOS chips and other firmware are largely overlooked in forensic investigations. No forensically sound procedures exist for imaging BIOS chips and no tools are available specifically for analyzing BIOS image files. Yet, significant amounts of data may be stored on BIOS chips without hindering machine performance. This paper describes robust techniques for concealing data in BIOS freespace, BIOS modules, and throughout a BIOS chip. Also, it discusses how flashing utilities and traditional digital forensic tools can be used to detect and recover concealed data.