Getting information, by any means...
During a project where I helped track a high-ranking fraud criminal, we run into a problem. The criminal had his computer protected with a BIOS password.
Part of the project called for a little deception so I could sneak into the criminal's hotel room (with permission of the law enforcement agency) and search his laptop's hard drive, extract any useful information and install and backdoor. However, intel that reached us stated that the criminal's laptop was protected by a BIOS password. I had the tools to bypass the OS password or even some well known full disk encryption software (there was back then a workaround, it has been fixed), but didn't anticipate this. My bad.
I researched how to bypass the BIOS password on this specific brand and model of the laptop. There wasn't much to be done except to fry the BIOS. That would alert the criminal that someone tampered with his computer. I mean, at that point why not just take the hard drive out of the computer and be done with it.
One of my good friends is a hardware wiz. He lives for these kind of challenges. I called him and explained the problem. I told him we had a bit over 36 hours until H-2 (H-Hour - 2 hours, the time when I would sneak into the hotel and wait). I didn't have many hopes for this one. BIOS passwords are usually tough to break without going for the hardware and that leaves a sign saying "we messed with your shit".
5 hours before H-2 he called me and said - I might have something but I can't test it, I don't have enough time.
I called my contact at the law enforcement agency and explained what the situation was. He said we were still go and that if the workaround didn't, well, work we would just grab his laptop and go.
I drove to my friend's house, grab the little gadget he built and went home to change. I needed to put on a suit and appear to be a business guy on the bar of the hotel.
I had with me a small briefcase with the gear I would need for this: the gadget my friend built, several external drives for store any data I might extract from the laptop, a USB thumdrive with several exploits and backdoors, CDs and DVDs with software to boot the computer from and bypass any password the OS might have, some cables for the drives and some other gear. One the guys that would distract the criminal also gave me a copy of the room key card so I could go in.
H-Hour came, I took the elevator, found the room and went it. His laptop was set on top of the desk, open and with the screensaver! I touched the trackpad and the OS asked me for a password. Now, I could reboot from a CD and bypass this but I needed to bypass first the BIOS password. On top of that if he had an app open I wouldn't know. If I managed to bypass the BIOS password and get to the files, he - the criminal - would notice that someone touched the computer because his program wouldn't be running anymore.
I would figure that one later. First I needed to get to the files. I tried first with a small piece of code that worked in the past with a diff. version of the OS. Essentially you plug your USB thumbdrive and the little app tries several vulnerabilities that would enable the program to read and copy files from the hard disk, even with the screen locked. It didn't work in this case.
I then decided that if I already had permission to get the laptop out of the room if nothing else work to try my friend's gadget. I force-poweroff the computer and plugged the gadget. It was essentially a piece of circuit board with a mini liquid crystal screen, serial, USB, SATA and IDE connections and some components. I plugged it to the serial port and powered the machine. The vendor's pre-boot screen came up and stayed there. Didn't continue. I looked at the little display at the gadget and had a series of hex numbers on it. I looked at the lookup table my friend did for those hex numbers and that specific code was an error. So it didn't work.
Grabbed my screw driver, opened the laptop and went for the motherboard. Found the freaking battery, remove it and grabbed by mini soldering iron. Burned the crap out of that BIOS. Booted up again and there it was. Rebooted and loaded one of my CDs and booted from it. I accessed the file system and within minutes I had a map of documents, email files, pictures, text files, etc. Copied all of them to my external drive. Then intalled my backdoor to the laptop.
Now I needed to figure out what to do with the laptop. Should I take it? Should I leave it and hope the criminal wasn't savvy enough to note that it was tampered with?
No, I did something better.
I left the computer exactly as I found it. Plugged into the outlet and with the top open. In the exact location (which I marked with paper before checking the laptop for boobytraps and grabbing it). Exited the room and went for the hotel electrical room. With the help of one of the law enforcement guys we shorted the whole hotel. Everything went black.
We grabbed one of the maintenance guys and asked him to call the manager. He was down in a matter of minutes. We presented our credentials and told him that was an ongoing investigation, that he was to go a announce to all guests that there was a huge power surge throughout the hotel.
I was hoping that this would convince the criminal that his computer was in trouble due to the power surge (even thought it's BS...).
The whole thing took about 20 min, from the time I went in to the power surge. I had with me a lot of info that would help the incriminate this guy. Now we needed to know whether he would buy the story or just throw that computer and run.
A week later I had a phone call from one of the law enforcement geeks and they told me that not only did the guy buy the power surge story, he installed the disk on a new laptop and they had access to it via the backdoor I install.