Bringing Forensic Readiness to Modern Computer Firmware
Tobias Latzo, Florian Hantke, Lukas Kotschi, Felix Freiling
TL;DR
This work tackles the challenge of forensic memory analysis by embedding memory-forensics capabilities directly into modern firmware. It introduces UEberForensIcs, a UEFI-based solution that provides cold-boot-like memory acquisition during boot and enables runtime code execution via UEFI runtime services, complemented by an RTS tracer for behavior analysis. The approach demonstrates practical feasibility with a built-in memory-dump mechanism that exfiltrates data over the network and a proof-of-concept RTS hook that can persist forensic tooling and enable runtime memory considerations. The results indicate that the built-in acquisition can capture memory with controllable alteration (on the order of tens of MiB largely due to reboot) and that runtime-forensics via RTS is a viable avenue for non-reboot memory analysis, offering a path toward firmware-level forensic readiness with real-world applicability for incident response.
Abstract
Today's computer systems come with a pre-installed tiny operating system, which is also known as UEFI. UEFI has slowly displaced the former legacy PC-BIOS while the main task has not changed: It is responsible for booting the actual operating system. However, features like the network stack make it also useful for other applications. This paper introduces UEberForensIcs, a UEFI application that makes it easy to acquire memory from the firmware, similar to the well-known cold boot attacks. There is even UEFI code called by the operating system during runtime, and we demonstrate how to utilize this for forensic purposes.
