Semester of Graduation

Fall 2021


Master of Science in Computer Science (MSCS)


Division of Computer Science and Engineering

Document Type



Memory forensics allows an investigator to get a full picture of what is occurring on-device at the time that a memory sample is captured and is frequently used to detect and analyze malware. Malicious attacks have evolved from living on disk to having persistence mechanisms in the volatile memory (RAM) of a device and the information that is captured in memory samples contains crucial information for full forensic analysis by cybersecurity professionals. Recently, Apple unveiled computers containing a custom designed system on a chip (SoC) called the M1 that is based on ARM architecture. Our research focused on the differences in the Volatility memory analysis framework between Apple's new M1 SoC and its previous Intel-based CPUs due to the new architecture. We extracted memory samples from a MacBook Air equipped with a M1 SoC and a Intel-based Mac virtual machine. Using those samples, we ran all the Volatility plugins available for Mac against each memory sample, taking note of any differences or errors that occurred because of the shift in architecture. This is foundational memory forensics work on the M1 ARM platform that will allow future research and improvements to be made on Volatility for M1.

Committee Chair

Richard, Golden G.