Plan

• Apple Hardware and Tech
• Introduction to the macOS and the Desktop
• Understanding CoreStorage, Fusion, FileVault and APFS
• Imaging Mac RAM
• Understanding the Mac File System
• Mac Security Issues and Encryption
• Password Recovery
• Building a Mac Forensic Workstation
• Macintosh Search and Seizure
• Safely Obtaining System Information
• Firmware Passwords
• Volatile Data Collection
• Manual and Automated Imaging and Acquisition
• Verifying and Safely Mounting Forensic Images
• Indexing Forensic Images
• Search Techniques Using macOS
• Locating Evidence (Email, Graphics, Internet Artifacts, Documents, System Artifacts, Instant Messaging, logs and more)
• Recovering Deleted Files
• Examining SQLite Databases and PLIST files
• Using macOS for Forensics
• Reporting
• Review of Recommended Applications
• Review of Automated Forensic Tools
• Recommended Macintosh Hardware Requirements for Forensics and much more!

Advanced Macintosh forensics:

Advanced Command Line

Underneath Mac OS X's interface and desktop is the Unix shell, including a Terminal that gives users seemingly endless power and control from the "command-line." Participants will learn advanced tips using this "command-line" to assist in forensic examinations of a Mac.

Advanced File System Analysis

Students will be introduced to the concept of domains within the Mac OS X environment and be able to locate evidentiary artifacts. Additionally, students will learn how to manually deconstruct third-party applications.

AppleScript and Automator

Included with Mac OS X are two applications that allow the user to develop custom applications and workflows to automate almost any task. Participants will learn how to create their own AppleScript and Automator applications to simplify a forensic examination.

Identifying and Using Virtual Machines

Participants will learn how to identify the use of a VM within Mac OS X, and the procedures necessary to analyze them. In addition, the participant will learn how to use a VM to assist in forensic examinations from within the Mac environment.

Apple Timeline Analysis

Timeline Analysis is one of the most popular investigative trends in Digital Forensics and for good reason. Timeline Analysis can recreate the history of a device's usage step-by-step and second by second. Learn what Timestamps exist on a Mac, how they can be extracted and how to use the results to enhance your investigation.

Mac OS X Server Forensics

Participants will learn about Mac OS X server technology, including services and user accounts. Instruction will be provided on best practices for acquiring data safely from live systems, as well as responding to an incident on compromised systems.

Mac OS X Server Forensics

• iCloud Forensics
• Unique Apple Technology
• Advanced Search Techniques
• Application Deconstruction