MFSC-101: The Best Practices in Mac Forensics

MFSC-101 Course Overview

This course is given by SUMURI. The Best Practices in Mac Forensics (MFSC-101) course shows you how and why you are missing evidence using non-native forensic solutions and how to find what is missed by using a Mac to process a Mac.

Steve Whalen developed this course to provide vendor-neutral and tool-agnostic training that covers the process of examining a Macintosh computer from the first step to the last step in logical order. MFSC-101 is designed for both the beginner Mac examiner as well as the advanced. The knowledge you gain can be applied to any forensic tool on any platform. Surprising to most is that the entire course is taught using a Mac to examine a Mac without expensive automated forensic tools. Even more surprising is that the participants realize that they can find more evidence and find it faster!

MFSC-101 is the first of two prerequisites for the Certified Forensic Mac Examiner (CFME) certification. The CFME is a two-part certification process that tests the candidate on topics covered in MFSC-101 and MFSC-201. It is absolutely at no extra cost to those candidates who have attended both of the courses.

More Details

Prerequisites

Software and Equipment

NOTE: Each student must provide their own MAC computer for this course.

Attendance and Conduct

MFSC-101 Course Topics

Overview of macOS Versions: identifies features of forensic
importance in different macOS and when they appeared
Understanding the Mac File System Technology: a review of
all file system technology supported by macOS such as APFS, Core Storage,
Fusion Drives, and macOS Extended
Intel Mac Technology and Bootcamp: explains the forensic
significance of Mac Intel Technology
Silicon Mac Technology: explains the unique issues and
forensic significance of M1 Silicon Technology
Mac Security Issues and FileVault Attacks: current best
practices for dealing with Mac Security
Macintosh Search and Seizure: best practices for seizing
Mac and iOS hardware
Safely Obtaining System Information: how to safely obtain
system information without making changes to the evidence
Open Firmware Passwords: explains OFP, how to set and
remove OFP if it is necessary
Volatile Data Collection: discussion on unique issues
concerning Mac Volatile Data, methods to collect it, and the need for a
Trusted Utilities Disk
Forensic Imaging: discussion and exercises on imaging
Intel and M1 Silicon Macs to include issues present by Mac security
features
Imaging Mac RAM: discussion on the challenges in capturing
RAM due to macOS security features
Mounting Forensic Images in the macOS: safely mounting
forensic images for Processing and analysis
Indexing Forensic Images: how to index forensic images
using macOS
Search Techniques Using macOS: creating custom search
expressions  from the command-line and GUI
Locating Evidence: how to identify, analyze and extract
macOS and application artifacts such as Email, Graphics, Internet Artifacts,
Documents, System Artifacts, Instant Messaging, logs, and more
Recovering Deleted Files: an exercise in manually
recovering deleted files and the dangers of Mac optimization
Examining SQLite Databases and PLIST files: examining the
heart of Mac data storage
Using macOS for Forensics: how to utilize built-in macOS
technology for forensics
Report Development: how to create native reports using the
Mac to view data properly
Recommendations for Mac Forensics system configuration and
hardware