Bringing Forensic Readiness to Modern Computer Firmware

Abstract: Today's computer systems come with a pre-installed tiny operating system, which is also known as UEFI. UEFI has slowly displaced the former legacy PC-BIOS while the main task has not changed: It is responsible for booting the actual operating system. However, features like the network stack make it also useful for other applications. This paper introduces UEberForensIcs, a UEFI application that makes it easy to acquire memory from the firmware, similar to the well-known cold boot attacks. There is even UEFI code called by the operating system during runtime, and we demonstrate how to utilize this for forensic purposes.

Bringing Forensic Readiness to Modern Computer Firmware

The paper titled "Bringing Forensic Readiness to Modern Computer Firmware" presents an innovative approach to advancing forensic capabilities by leveraging the Unified Extensible Firmware Interface (UEFI) as a pre-installed memory acquisition tool. Authored by Tobias Latzo and colleagues, the paper introduces UEberForensIcs, a UEFI-based application designed to capture memory data for forensic analysis in a manner similar to traditional cold boot attacks. Unlike these established techniques, UEberForensIcs operates within the firmware layer, ensuring forensic readiness without the need for runtime deployment of additional software.

Key Contributions and Methodology

The paper's primary contributions are threefold:

1. UEberForensIcs Integration: The authors developed UEberForensIcs to facilitate low-level memory acquisition directly through a computer’s firmware. This application capitalizes on UEFI's capabilities, enabling secure and reliable memory snapshots during the boot process. The approach mitigates common challenges linked to runtime software deployment, such as the requirement for root privileges and susceptibility to anti-forensic measures.

2. Runtime Service Integration: A secondary focus of the research is the persistence of executable code via UEFI Runtime Services (RTS). The authors explore the potential for executing memory acquisition software while the operating system (OS) is active, thus enabling forensic data capture without rebooting. However, this technique faces limitations, notably, complexities in data exfiltration due to reliance on OS-managed resources.

3. RTS Tracing: An OS-independent tracer for UEFI RTS calls was developed as a proof of concept. The tracer facilitates monitoring of RTS usage, offering insights into OS interactions with UEFI during different operation states such as boot, login, and reboot. The evaluation showed that the tracer provides substantial information on the frequency and nature of RTS usage, underscoring its potential for forensic applications.

Evaluation and Discussion

The paper evaluates UEberForensIcs through correctness, atomicity, and integrity — criteria critical to forensically sound memory acquisition. The assessment, conducted in a controlled virtual machine (VM) environment, demonstrated minimal disruption to system memory, with only specific regions altered by firmware processes during acquisition. Correctness was affirmed by comparing dumps acquired through UEberForensIcs with QEMU’s pmemsave feature, showcasing consistent memory mapping and reliable data retrieval.

UEFI-based memory acquisition, as presented, provides distinct advantages, notably the inherent atomicity due to the reboot process. However, the firmware's impact on memory remains a variable factor across different setups, mandating further exploration in diverse hardware environments.

The runtime service integration, while promising for seamless forensic readiness, confronts obstacles in effective data exfiltration. Currently limited to scenarios that allow invoking RTS hooks, this approach demands comprehensive strategies to overcome dependencies on OS network stacks and storage management for forensic data delivery.

Implications and Future Research

This paper offers a compelling framework for embedding forensic mechanisms within computer firmware, paving the way for proactive forensic readiness. The integration of memory acquisition at the UEFI level can significantly enhance incident response capabilities by ensuring pre-installed forensic tools unaffected by malicious activities post-incident.

Future research could expand on physical implementation trials, determining the feasibility of UEberForensIcs across varying hardware architectures and firmware footprints. Additionally, refining code persistence methods and exploring alternative data exfiltration mechanisms could strengthen the practicality of runtime forensic acquisition via UEFI RTS.

In conclusion, the research not only extends digital forensic methodology but also raises pertinent questions for ongoing exploration. The insights captured in this paper provide a foundation from which the digital forensic community can advance understanding and applications of forensic readiness at the firmware level.