Semester of Graduation

Spring 2022


Master of Science in Computer Science (MSCS)


Computer Science

Document Type



As malware continues to evolve, infection mechanisms that can only be seen in memory are increasingly commonplace. These techniques evade traditional forensic analysis, requiring the use of memory forensics. Memory forensics allows for the recovery of historical data created by running malware, including information that it tries to hide. Memory analysis capabilities have lagged behind on Apple's new M1 architecture while the number of malicious programs only grows. To make matters worse, Apple has developed Rosetta 2, the translation layer for running x86_64 binaries on an M1 Mac. As a result, all malware compiled for Intel Macs is theoretically functional on M1 machines. In this paper, malware will be executed through the Rosetta 2 translation environment in an effort to document the functionality of malware run through it. Afterwards, memory forensics will be performed on select samples to confirm functionality. Finally, the research efforts to bring memory forensics to the M1 will be discussed, along with new artifacts from Rosetta 2 that can be analyzed as a result of these research efforts.

Committee Chair

Richard III, Golden G.