MFSC-201: The Advanced Practices in Mac Forensics

This course is given by SUMURI. As each quarter passes, Apple’s success has been nothing but impressive. In addition to desktop and mobile computers, Apple produces a variety of unique and innovative devices and applications found in just about every modern society, home, and business. As more and more Apple devices enter the marketplace exponentially, the need for Macintosh Forensic Training is quite apparent.

The Advanced Practices in Mac Forensics (MFSC-201) course provides unparalleled vendor-neutral and tool-agnostic instruction in advanced topics relating to the forensic use and analysis of Apple hardware, technologies, and applications. The training is designed for the participant to learn in a teamwork environment and taught by instructors who maintain a “no one left behind” attitude. In addition, complicated topics are made easy to understand through instructor-led exercises and real-life scenarios— supported by a quality student manual to be utilized as a supplemental resource after the course.

MFSC-201 is the second prerequisite for the Certified Forensic Mac Examiner certification. The CFME is a two-part certification process that tests the candidate on topics covered in MFSC-101 and MFSC-201. It is absolutely at no extra cost to those candidates who have attended both of the courses.

Topics include but are not limited to:

  • Advanced File System Analysis – Introduction to the concept of domains within the macOS environment and locations of evidentiary artifacts and their contents.
  • Advanced Command Line – Work with macOS’ powerful and highly useful command-line interface to assist in forensic examinations of a Mac.
  • macOS Log Analysis – Learn how to identify artifacts from persistent and volatile logs, including Apple Unified Logs.
  • File System Event Monitoring and Analysis – Work with live and logged File System Events to identify artifacts and determine file usage history on a volume or disk.
  • Identifying and Analyzing Virtual Machines – Identify the use of a VM within macOS and the procedures necessary to analyze artifacts.
  • AppleScript and Automator – Learn to develop custom programs and workflows to automate almost any task to simplify and enhance forensic examinations.
  • macOS Server & Software RAIDs – Discussion on macOS server technology and Apple software RAIDs. Learn the best practices on handling servers and Apple RAIDs.
  • Macintosh Timeline Analysis – Understand and identify unique macOS metadata timestamps for use in building a timeline of a file system that can retrace the suspect’s history minute by minute or second by second.
  • iCloud Forensics – Find and analyze iCloud artifacts and data, such as documents, synced with an Apple iCloud account.
  • Time Machine Analysis – Understand the Time Machine backup process and structure in order to find data.
  • Unique Apple Technology – Lean the best practices and resources available to deal with unique Apple technology such as Air Tags and Continuity.
  • Advanced Search Techniques – Use advanced search techniques, both macOS native and 3rd party tools, to find evidentiary artifacts within the macOS.
  • Application Deconstruction – Learn how to find any and all artifacts left behind by installed, and in some cases uninstalled, applications.

PREREQUISITE: Completion of MFSC-101 or comparable Mac Forensics Course

WHEN:  May 01-05, 2023

COST: $2,495.00 US Dollars

2023 REGISTRATION: 

Existing IACIS members: Log in with your credentials and go to the Products page to purchase and register for the course.

Non-IACIS members: Membership fee is waived with the purchase of the training course; however, to register for the course you must complete a membership application at the time of purchase. Purchase training course HERE.

****Payment MUST BE RECEIVED at least 45 days prior to the first day of class. Any payment arrangements other than payment through the website or payment via invoice must be approved by the IACIS Treasurer prior to admittance into the course. Please contact the treasurer for questions and approval (treasurer@iacis.com)

Cancellations within 45 days from the start of class to 31 days from the start of class will be subject to a $150 cancellation fee. There will be no refunds within 30 days from the start of class.****

* On-Site Check-in Times (student pickup of equipment, ID card, IACIS info) are:

             Sunday, April 30, 2023: 1800 – 2100

             Monday, May 01, 2023: 0700 – 0800

* Please make arrangements to arrive in time to check-in so that you may be in class promptly the first day.

COURSE NOTES:

Please read the following notes regarding this class:

  1. Each student is required to supply their own Mac computer for the class. The Mac should be able to run macOS on Monteray or later. It is preferred that macOS Ventura be installed.
  2. The dress code for the conference is business casual (collared shirts and slacks). The wearing of shorts, flip flops, tank tops, etc. is not allowed in the classroom. Students are required to attend all classes to successfully complete the program. Students who fail to meet the attendance requirements will not be issued a certificate at the conclusion of the program.
  3. Classes begin at 8:00 AM ET and conclude at 5:00 PM ET, each day, with a one-hour lunch break. Classes will end at 4:00 PM ET on the last day of class. Please do not arrange for departing flights prior to 7:00 PM ET to allow time for travel to the airport and any security clearances.

HOTEL BOOKING: 

The course will be taught at the Caribe Royale Hotel, 8101 World Center Drive, Orlando, Florida 32821 (USA).  This hotel is 16 miles from the Orlando International Airport, it has a large pool, spacious workout facility and is close to Disney World and Universal Studios.

URGENT NOTICE 

Due to an unprecedented situation with Caribe Royale, the hotel is completely booked for week one of the 2023 IACIS Training event.   

IACIS is currently working with Orlando Marriott to determine if we can use it as overflow, but at the time of this writing we have no information on what they have available or if they will honor GSA rates. We will update this site as new information become available.
 

​​NAME​   ​​PHONE​  
Embassy Suites by Hilton Orlando Lake Buena Vista South   1(407)597-4000  
​​Orlando Marriott World Center​    1(407)239-4200  
Gaylord Palms Resort & Convention Center   1(407)586-0000  
​​Walt Disney World Swan​    1(407)934-3000  
Walt Disney World Dolphin Resort   1(407)934-4000  

Also, if you are government employee you may be able to use FedRooms.com to find GSA rate lodging in the area.   

Please note: Availability at the Caribe Royale may change as time gets closer to the event so it is recommended that you check with the Caribe Royale often by using booking via this Caribe Royale Hotel link here. As a reminder, if you are not a Caribe Royale Hotel guest and require daily parking on hotel property during the event you will be responsible for all associated parking fees. 

Or book via phone by calling the following numbers: 

Reservations Toll Free: 1-800-823-8300/1-888-258-7501 or our local number 407-238-8000. 

CANCELLATION INFO:

If IACIS is unable to hold their 2023 Orlando training event, then all students who have registered and paid, will have the option of a full refund or a reserved seat at the 2024 training event.  IACIS is not responsible for any outside expenses (e.g. travel and accommodation) in the event of the training event being cancelled.  Anyone who paid for training will receive complimentary membership through the year that his/her training takes place.