Doctor of Philosophy (PhD)


Computer Science

Document Type



The continued increase in the use of computer systems in recent times has led to a significant rise in the capabilities of malware and attacker toolkits that target different operating systems and their users. Over the last several years, cybersecurity threat reports have documented numerous instances of users that were targeted by governments, intelligence agencies, and criminal groups, and the result was that the victims ended up having highly sophisticated malware installed on their systems. Unfortunately, the rise of these threats has not been met with equal research and development of defensive mechanisms that can detect and analyze such malware. Though newer techniques such as memory forensics have been incorporated in digital investigations, there is still a huge gap in auto- mated analysis for such frameworks. Consequently, inexperienced investigators have been left with little chance of detecting the malware’s presence, and even for experienced investigators, detection is still difficult in many circumstances and requires significant manual investigation for a chance at success. This thesis documents our research efforts to close this gap through the development of novel memory forensic capabilities aimed at detecting advanced, real-world malware that targets popular operating systems such as macOS and Windows. This research is driven through analysis of numerous malware samples that were used as part of espionage and criminal attack campaigns and the research objective is to automate the detection of such malware through memory forensic techniques. The research includes the study of kernel and runtime source code of macOS and Windows operating systems to analyze the various components used to store information about application malware. The end results are new memory forensics techniques that can be leveraged by investigators of all skill levels to detect userland malware in an automated, scalable, and flexible manner. These techniques have been implemented and tested within the open-source Volatility memory forensics framework.

Committee Chair

Richard, Golden G.