Monday, June 25, 2012

Hidden data battery investigations

Hidden data battery investigations

Due to a common embedded controller found in Lithium Ion (Li-Ion) and Lithium
Polymer batteries and used in a large number of MacBook, MacBook Pro, and MacBook Air laptop computers it is possible when the battery is 'unsealed' to conceal data in its memory.

To avoid data being lost at the next boot up of the laptop, by setting the unsealed battery's embedded contoller into Boot ROM mode (factory setting stage) charging cannot function and pass information to the flash and overwrite the hidden data.

A perpetrator could therefore transport hidden data and/or pass data in the battery to another person/laptop. If the laptop/battery are seized before the hidden data has been extracted and the examiner switches on the laptop, the battery's memory can be re-written causing loss of the hidden data - a cross between a trojan horse and dead-man's trap.

It is possible to brick the battery giving the impression the battery is a dud. An examiner may not think to consider the battery as memory storage and disregard the battery during investigation.

No comments: