Existing UEFI boot-time memory analysis tools are absent, hindering detection of firmware-level malware during the pre-OS phase. Method: This paper introduces the first forensics framework targeting UEFI runtime memory, enabling reliable physical memory acquisition and structured parsing. It features a modular, extensible architecture designed to identify firmware-layer attacks—including function pointer hooks, inline hooks, and malicious image loading—by integrating UEFI debug interface exploitation, memory layout reverse engineering, and symbol reconstruction. Contribution/Results: The framework successfully detects real-world UEFI bootkits, including ThunderStrike, CosmicStrand, and Glupteba. Its open-source implementation has advanced standardization in firmware-level threat analysis, establishing a foundational methodology for systematic UEFI memory forensics.

Modern computing systems rely on the Unified Extensible Firmware Interface (UEFI), which has replaced the traditional BIOS as the firmware standard for the modern boot process. Despite the advancements, UEFI is increasingly targeted by threat actors seeking to exploit its execution environment and take advantage of its persistence mechanisms. While some security-related analysis of UEFI components has been performed--primarily via debugging and runtime behavior testing--to the best of our knowledge, no prior study has specifically addressed capturing and analyzing volatile UEFI runtime memory to detect malicious exploitation during the pre-OS phase. This gap in UEFI forensic tools limits the ability to conduct in-depth security analyses in pre-OS environments. Such a gap is especially surprising, given that memory forensics is widely regarded as foundational to modern incident response, reflected by the popularity of above-OS memory analysis frameworks, such as Rekall, Volatility, and MemProcFS. To address the lack of below-OS memory forensics, we introduce a framework for UEFI memory forensics. The proposed framework consists of two primary components: UefiMemDump, a memory acquisition tool, and UEFIDumpAnalysis, an extendable collection of analysis modules capable of detecting malicious activities such as function pointer hooking, inline hooking, and malicious image loading. Our proof-of-concept implementation demonstrates our framework's ability to detect modern UEFI threats, such as ThunderStrike, CosmicStrand, and Glupteba bootkits. By providing an open-source solution, our work enables researchers and practitioners to investigate firmware-level threats, develop additional analysis modules, and advance overall below-OS security through UEFI memory analysis.