Semester of Graduation
Spring 2022
Degree
Master of Science in Computer Science (MSCS)
Department
School of Electrical Engineering and Computer Science
Document Type
Thesis
Abstract
Malware threats are rapidly evolving to use more sophisticated attacks. By abusing rich application APIs such as Objective-C’s, they are able to gather information about user activity, launch background processes without the user’s knowledge as well as perform other malicious activities. In some cases, memory forensics is the only way to recover artifacts related to this malicious activity, as is the case with memory-only execution. The introduction of the Rosetta 2 on the Apple M1 introduces a completely new attack surface by allowing binaries of both Intel x86 64 and ARM64 architecture to run in userland. For this reason it is important that forensic analysis tools are able to properly identify indicators of malicious activity in a memory sample as well as include support for new platforms as soon as possible. In this paper, I present a memory analysis of the Rosetta 2 runtime using the Volatility Framework, a set of curated memory samples to help validate Volatility plugins and algorithms, and discuss new contributions to the Volatility support of the M1 platform.
Recommended Citation
Santos Mettig Rocha, Raphaela, "Improving Memory Forensics Capabilities on Apple M1 Computers" (2022). LSU Master's Theses. 5529.
https://repository.lsu.edu/gradschool_theses/5529
Committee Chair
Golden G. Richard III
DOI
10.31390/gradschool_theses.5529