Semester of Graduation

Spring 2022


Master of Science in Computer Science (MSCS)


School of Electrical Engineering and Computer Science

Document Type



Malware threats are rapidly evolving to use more sophisticated attacks. By abusing rich application APIs such as Objective-C’s, they are able to gather information about user activity, launch background processes without the user’s knowledge as well as perform other malicious activities. In some cases, memory forensics is the only way to recover artifacts related to this malicious activity, as is the case with memory-only execution. The introduction of the Rosetta 2 on the Apple M1 introduces a completely new attack surface by allowing binaries of both Intel x86 64 and ARM64 architecture to run in userland. For this reason it is important that forensic analysis tools are able to properly identify indicators of malicious activity in a memory sample as well as include support for new platforms as soon as possible. In this paper, I present a memory analysis of the Rosetta 2 runtime using the Volatility Framework, a set of curated memory samples to help validate Volatility plugins and algorithms, and discuss new contributions to the Volatility support of the M1 platform.

Committee Chair

Golden G. Richard III