Authors: Johannes Stüttgen, Stefan Voemel, and Michael Denzel (Friedrich-Alexander-Universität Erlangen-Nürnberg)



To a great degree, research in memory forensics concentrates on the acquisition and analysis of kernel- and user-space software from physical memory to date. With the system firmware, a much more privileged software layer exists in modern computer systems though that has recently become the target in sophisticated computer attacks more often. Compromise strategies used by high profile rootkits are almost completely invisible to standard forensic procedures and can only be detected with special soft- or hardware mechanisms. In this paper, we illustrate a variety of firmware manipulation techniques and propose methods for identifying firmware-level threats in the course of memory forensic investigations. We have implemented our insights into well-known open-source memory forensic tools and have evaluated our approach within both physical and virtual environments.