BIOS Magic Numbers in RAM (Beta)

A colleague of mine approached me after teaching a class on finding information in RAM. He asked me to prove a particular RAM acquisition came form a particular machine. My first thought was to run to the remnants from the registry. But do to paging of the registry and many false positives this proved a little more difficult then I originally thought... But as you guessed by the title I then found the information from the machine’s BIOS.

1. Using Encase create the following GREP Expression:

\x00\x14\x00\x00\x01\x02..\x03

2. Run against the DFRWS Dump and review your findings:

The information contained in the BIOS is pretty substantial often including make, model and serial number of the computer the data was collected

So far the BIOS Magic Numbers have found the BIOS Information on every RAM Acquisition I have tested it on. (Win2000 to Vista).

Future Work:
1. Find the Length of the BIOS Information or a Good Footer.
2. Place in RAM Enscript