UEFI Memory Forensics: A Framework for UEFI Threat Analysis

Modern computing systems rely on the Unified Extensible Firmware Interface (UEFI), which has replaced the legacy Basic Input/Output System (BIOS) as the firmware standard for the modern boot process. Although the UEFI represents a significant advancement in system firmware, it is increasingly targeted by threat actors seeking to exploit its execution environment and take advantage of its persistence mechanisms. While some security-related analysis of UEFI components has been performed--primarily via debugging and runtime behavior testing--to the best of our knowledge, no prior study has specifically addressed the capturing and analysis of volatile UEFI runtime memory to detect malicious exploitation during the pre-OS phase. This gap in UEFI forensic tools limits the ability to conduct in-depth security analysis in pre-OS environments. Such a gap is particularly surprising, given that memory forensics is widely regarded as foundational to modern incident response, as reflected by the popularity of above-OS memory analysis frameworks, such as Rekall, Volatility, and MemProcFS. To address the lack of below-OS memory forensics, we introduce a framework for UEFI memory forensics. The proposed framework consists of two components: UEFIMemDump, a memory acquisition tool, and UEFIDumpAnalysis, an extendable collection of analysis modules capable of detecting malicious activities such as function pointer hooking, inline hooking, malicious image loading, and gadget-based control-flow manipulation. Our proof-of-concept implementation demonstrates the framework's ability to detect modern UEFI threats, such as Thunderstrike, CosmicStrand, and Glupteba bootkits. By providing an open-source solution, our work enables researchers and practitioners to investigate firmware-level threats, develop additional analysis modules, and advance overall below-OS security through UEFI memory analysis.