Malware and Memory Forensics on M1 Macs

Author

Charles E. Glass, Louisiana State University and Agricultural and Mechanical CollegeFollow

Semester of Graduation

Spring 2022

Degree

Master of Science in Computer Science (MSCS)

Department

Computer Science

Document Type

Thesis

Abstract

As malware continues to evolve, infection mechanisms that can only be seen in memory are increasingly commonplace. These techniques evade traditional forensic analysis, requiring the use of memory forensics. Memory forensics allows for the recovery of historical data created by running malware, including information that it tries to hide. Memory analysis capabilities have lagged behind on Apple's new M1 architecture while the number of malicious programs only grows. To make matters worse, Apple has developed Rosetta 2, the translation layer for running x86_64 binaries on an M1 Mac. As a result, all malware compiled for Intel Macs is theoretically functional on M1 machines. In this paper, malware will be executed through the Rosetta 2 translation environment in an effort to document the functionality of malware run through it. Afterwards, memory forensics will be performed on select samples to confirm functionality. Finally, the research efforts to bring memory forensics to the M1 will be discussed, along with new artifacts from Rosetta 2 that can be analyzed as a result of these research efforts.

Recommended Citation

Glass, Charles E., "Malware and Memory Forensics on M1 Macs" (2022). LSU Master's Theses. 5557.
https://repository.lsu.edu/gradschool_theses/5557

Committee Chair

Richard III, Golden G.

DOI

10.31390/gradschool_theses.5557