Table of Contents
Fetching ...

Bringing Forensic Readiness to Modern Computer Firmware

Tobias Latzo, Florian Hantke, Lukas Kotschi, Felix Freiling

TL;DR

This work tackles the challenge of forensic memory analysis by embedding memory-forensics capabilities directly into modern firmware. It introduces UEberForensIcs, a UEFI-based solution that provides cold-boot-like memory acquisition during boot and enables runtime code execution via UEFI runtime services, complemented by an RTS tracer for behavior analysis. The approach demonstrates practical feasibility with a built-in memory-dump mechanism that exfiltrates data over the network and a proof-of-concept RTS hook that can persist forensic tooling and enable runtime memory considerations. The results indicate that the built-in acquisition can capture memory with controllable alteration (on the order of tens of MiB largely due to reboot) and that runtime-forensics via RTS is a viable avenue for non-reboot memory analysis, offering a path toward firmware-level forensic readiness with real-world applicability for incident response.

Abstract

Today's computer systems come with a pre-installed tiny operating system, which is also known as UEFI. UEFI has slowly displaced the former legacy PC-BIOS while the main task has not changed: It is responsible for booting the actual operating system. However, features like the network stack make it also useful for other applications. This paper introduces UEberForensIcs, a UEFI application that makes it easy to acquire memory from the firmware, similar to the well-known cold boot attacks. There is even UEFI code called by the operating system during runtime, and we demonstrate how to utilize this for forensic purposes.

Bringing Forensic Readiness to Modern Computer Firmware

TL;DR

This work tackles the challenge of forensic memory analysis by embedding memory-forensics capabilities directly into modern firmware. It introduces UEberForensIcs, a UEFI-based solution that provides cold-boot-like memory acquisition during boot and enables runtime code execution via UEFI runtime services, complemented by an RTS tracer for behavior analysis. The approach demonstrates practical feasibility with a built-in memory-dump mechanism that exfiltrates data over the network and a proof-of-concept RTS hook that can persist forensic tooling and enable runtime memory considerations. The results indicate that the built-in acquisition can capture memory with controllable alteration (on the order of tens of MiB largely due to reboot) and that runtime-forensics via RTS is a viable avenue for non-reboot memory analysis, offering a path toward firmware-level forensic readiness with real-world applicability for incident response.

Abstract

Today's computer systems come with a pre-installed tiny operating system, which is also known as UEFI. UEFI has slowly displaced the former legacy PC-BIOS while the main task has not changed: It is responsible for booting the actual operating system. However, features like the network stack make it also useful for other applications. This paper introduces UEberForensIcs, a UEFI application that makes it easy to acquire memory from the firmware, similar to the well-known cold boot attacks. There is even UEFI code called by the operating system during runtime, and we demonstrate how to utilize this for forensic purposes.
Paper Structure (21 sections, 3 figures, 3 tables)

This paper contains 21 sections, 3 figures, 3 tables.

Figures (3)

  • Figure 1: Simplified architecture of UEberForensIcs and the RTS tracer.
  • Figure 2: Timeline of the system with the four memory dumps.
  • Figure 3: Visualization of the page-wise diff. Addresses are growing from the left to the right and from the bottom to the top.