White Papers
Table Of Contents
- Dell Trusted Device Installation and Administrator Guide v3.2
- Contents
- Introduction
- Requirements
- Download the Software
- Verify the Installation Package
- Installation
- Uninstall Trusted Device
- BIOS Verification
- Image Capture
- BIOS Events & Indicators of Attack
- Security Risk Protection Score
- Integration
- Run the BIOS Verification Agent
- Results, Troubleshooting, and Remediation
Image Capture
Administrators can capture images of corrupted or tampered BIOS for analysis and remediation. When run, Trusted Device
queries the EFI (Extensible Firmware Interface) partition for a corrupt or tampered image. If an image is detected, it is copied
from the EFI partition to %PROGRAMDATA%\Dell\TrustedDevice\ImageCapture. If off-host verification fails, Trusted Device
copies corrupt or tampered images from memory to %PROGRAMDATA%\Dell\TrustedDevice\ImageCapture. Image Capture
data is retained for 200 days.
Administrators can invoke image capture, configure captured image storage locations, and export most recent or all images.
Each captured image is signed and named based on the following:
● If copied from the EFI partition - BIOSImageCaptureMMDDYYYY_HHMMSS.rcv
● If copied from memory - BIOSImageCaptureBVSMMDDYYYY_HHMMSS.bv
MMDDYYYY is the date and HHMMSS is the time of image copy. For Command-Line parameters, see Run the BIOS Verification
Agent.
For more information about Image Capture and the Windows Registry, see Results, Troubleshooting, and Remediation .
8
Image Capture 21