Analyzing Bootkit and Rootkit Samples When to Use - A system shows signs of compromise that persist through OS reinstallation - Antivirus and EDR are unable to detect malware despite clear evidence of compromise - UEFI Secure Boot has been disabled or shows integrity violations - Memory forensics reveals rootkit behavior (hidden processes, hooked system calls) - Investigating nation-state level threats known to deploy bootkits (APT28, APT41, Equation Group) Do not use for standard user-mode malware; bootkits and rootkits operate at a fundamentally different level requiring specialized analysi…