Current UEFI firmware lacks runtime memory forensics capabilities, limiting firmware-level digital investigation to boot-time or cold-boot attack scenarios. Method: This paper proposes UEberForensIcs, the first framework to embed proactive forensic capabilities directly into the UEFI firmware layer. It enables secure, real-time acquisition of firmware memory during OS runtime—bypassing traditional boot-phase dependencies—via OS-UEFI cross-layer invocation and firmware memory mapping analysis. Remote triggering and encrypted data upload are achieved by reusing the UEFI network stack. Contribution/Results: Evaluated on mainstream platforms, UEberForensIcs achieves end-to-end forensic latency under 200 ms, complies with UEFI Specification v2.7+, and significantly enhances the timeliness and practicality of firmware-level digital forensics.

Today's computer systems come with a pre-installed tiny operating system, which is also known as UEFI. UEFI has slowly displaced the former legacy PC-BIOS while the main task has not changed: It is responsible for booting the actual operating system. However, features like the network stack make it also useful for other applications. This paper introduces UEberForensIcs, a UEFI application that makes it easy to acquire memory from the firmware, similar to the well-known cold boot attacks. There is even UEFI code called by the operating system during runtime, and we demonstrate how to utilize this for forensic purposes.