The POST sequence software, held in the ROM BIOS, initializes as necessary and then carries out diagnostic tests on each of the various hardware components of the system. Before entering each step in the sequence, the BIOS writes a one-byte identi- fying code, usually to I/O port 80h, which signals a successful completion of the previous step. This code is commonly referred to as aPOST code.
By means of a specialPOST code readerthe last valid code sent to the port can be observed. Such a reader may simply consist of an ISA plug-in card with a seven- segment display to show the POST code value. In the event of a hardware failure, often signalled by some kind of system lockup, the value on this display can give a good indication of the device that has failed by taking note of the last action that was successful. BIOS and motherboard handbooks often include a table of port 80h POST codes62and specialist software can be obtained that operates in conjunction with a POST reader to identify POST code values for a range of current BIOSes. An example screenshot from a typical program (MicroSystems, undated) of this type is shown at Fig. 5.24.
The reason for needing POST codes is not difficult to see. Because much of the POST diagnostic testing is taking place before the display system has been activated,
Fig. 5.24 POST code monitor and database.
62 The codes seem to be unique to the particular BIOS. See, for example, Appendix 3 and Intel (1998a, p. 75).
error messages cannot be written to the screen, as they would be when the display becomes active. It is for this reason that the system speaker is used to generate so calledbeep codes. As well as writing a POST code to port 80h, the BIOS will, when there is an error, send a specific sequence of beeps to the system speaker. Some beep codes are simply a number of same length beeps, some are a combination of low and high tones, some are a series of long and short beeps and some are a series of beeps and pauses. These latter are usually shown as 1-2-2-3, which is read as: 1 beep, pause, 2 beeps, pause, 2 beeps, pause, 3 beeps. The meanings of each of these beep sequences should be listed63in BIOS and motherboard handbooks together with any BIOS text error messages which might be written after the display becomes active.
One point of significance for the forensic computing analyst is that a successful completion of all the POST diagnostic tests normally results in a single short beep being sent to the speaker just prior to the loading of the operating system. Making a note in the log on hearing this short beep can provide some useful formal assurance that the computer concerned was operating correctly at the time that it was being used, in that it had signalled a successful passing of all of its POST diagnostic tests. At one time, a “Section 69” certificate was a legal requirement, whereby an analyst was required to certify that any computer equipment used in preparing evidence was working correctly at the time that it was used. Although this is no longer essential, it is still good practice to log such tests.
The POST first tests individual functions of the processor, its registers and some instructions; see Table 5.13. If the processor passes these tests, a checksum is then computed for each of the ROMs that form the BIOS and these computed values are compared with those that had originally been stored within the ROMs when they were programmed to give some assurance that the BIOS code has not become corrupted. A similar check is made of the CMOS RAM, which we will consider further in a moment. Each chip on the main board is then tested and initialized as necessary. These include the DMA controller, the keyboard controller, the first 64 kbyte of RAM, the interrupt controller, the cache controller and the video controller.
● Perform function check of CPU ● Test BIOS ROM checksum ● Test CMOS RAM checksum ● Test/initialize DMA controller ● Test/initialize keyboard controller ● Check first 64 kbyte RAM ● Test/initialize interrupt controller ● Test/initialize cache controller ● Test/initialize video controller Table 5.13 Typical actions by POST – part I.
Of course, once the video controller has been tested and initialized, any POST error messages can then be sent directly to the display screen.
After the main board has been tested, the POST tests the other peripherals, such as the serial and parallel interfaces and the remaining RAM above 64 kbyte; see Table 5.14. It then tests and initializes the floppy disk and hard drive controllers before setting up the BIOS variables.
The BIOS data area, as we may have noted from Fig. 5.22, is located at the very beginning of the real mode memory. It is 256 bytes long starting at address 0040:0000 (00400) and it is sometimes called the BIOS variable rangeor the BIOS variable segment(Tischer and Jennrich, 1996, p. 67et seq.). In particular, at 0040:0072 (00472) is a marker which indicates whether this is to be awarm boot, for which the main memory checks are not carried out, or acold boot. If the value is 1234h it is to be a warm boot; for all other values, it is to be a cold boot. The values in this segment can be examined and interpreted using specialist software such as Biosr.com (Postuma, 1995).