Memory Forensics Comparison of Apple M1 and Intel Architecture Using Volatility Framework

Author

Joshua Duke, Louisiana State University and Agricultural and Mechanical CollegeFollow

Semester of Graduation

Fall 2021

Degree

Master of Science in Computer Science (MSCS)

Department

Division of Computer Science and Engineering

Document Type

Thesis

Abstract

Memory forensics allows an investigator to get a full picture of what is occurring on-device at the time that a memory sample is captured and is frequently used to detect and analyze malware. Malicious attacks have evolved from living on disk to having persistence mechanisms in the volatile memory (RAM) of a device and the information that is captured in memory samples contains crucial information for full forensic analysis by cybersecurity professionals. Recently, Apple unveiled computers containing a custom designed system on a chip (SoC) called the M1 that is based on ARM architecture. Our research focused on the differences in the Volatility memory analysis framework between Apple's new M1 SoC and its previous Intel-based CPUs due to the new architecture. We extracted memory samples from a MacBook Air equipped with a M1 SoC and a Intel-based Mac virtual machine. Using those samples, we ran all the Volatility plugins available for Mac against each memory sample, taking note of any differences or errors that occurred because of the shift in architecture. This is foundational memory forensics work on the M1 ARM platform that will allow future research and improvements to be made on Volatility for M1.

Recommended Citation

Duke, Joshua, "Memory Forensics Comparison of Apple M1 and Intel Architecture Using Volatility Framework" (2021). LSU Master's Theses. 5477.
https://repository.lsu.edu/gradschool_theses/5477

Committee Chair

Richard, Golden G.

DOI

10.31390/gradschool_theses.5477