Mac II: Advanced Practices in Mac Forensics

As each quarter passes, Apple’s success has been nothing but amazing. In addition to desktop and mobile computers, Apple produces a variety of unique and innovative devices and applications which can be found in just about every modern society home and business. As more and more Apple devices enter the marketplace exponentially, the need for Macintosh Forensic Training is quite apparent.

This course was designed to provide unparalleled vendor neutral and tool agnostic instruction in advanced topics relating to the forensic use and analysis of Apple hardware, technologies and applications. The training is designed for the participant to learn in a team-work environment, and is taught by instructors who maintain a “no one left behind” attitude. In addition, complicated topics are made easy to understand through instructor-led exercises and real-life scenarios— supported by a quality student manual to be utilized as a supplemental resource at the completion of the course.

Topics include but are not limited to:

Advanced File System Analysis – Students will be introduced to the concept of domains within the macOS environment and be able to locate evidentiary artifacts in each Additionally, students will learn how to manually deconstruct any installed application

Advanced Command Line – Underneath macOS’s interface and desktop is the Unix shell, including a Terminal that gives users endless power and control from the “command-line” Participants will learn advanced tips using the “command-line” to assist in forensic examinations of a Mac

AppleScript and Automator – Included with macOS are two native applications that allow the user to develop custom programs and workflows to automate almost any task. Participants will learn how to create their own AppleScript and Automator applications to simplify and enhance their forensic examinations

macOS Log Analysis – Learn how to identify artifacts from persistent and volatile logs including the new Apple Unified Logs

File System Event Monitoring and Analysis – Work with live File System Events to identify artifacts quickly. Learn how to parse stored File System Events to determine the history of file usage on a volume or disk

Identifying and Using Virtual Machines – Participants will learn how to identify the use of a VM within macOS, and the procedures necessary to analyze them. In addition, the participant will learn how to use a VM to assist in forensic examinations from within the Mac environment

macOS Server Forensics – Participants will learn about macOS server technology, including services and user accounts. Instruction will be provided on best practices for acquiring data safely from live systems, as well as responding to an incident on compromised systems

Macintosh Timeline Analysis – building a timeline of a file system can retrace the suspect’s history minute by minute or second by second. The training will help the participant understand Mac timestamps and use them for analysis

iCloud Forensics – Participants will learn how to find and analyze documents and other data synced with an Apple iCloud account

Time Machine Analysis – Understand the Time Machine backup process and structure in order to find data

Unique Apple Technology – Participants will be provided with best practices and resources to deal with troublesome and unique Apple technology

Advanced Search Techniques – The training shows the user how to conduct advanced indexed and live searches to find any data

Application Deconstruction – Participants will learn how to find any and all artifacts left behind by any application.

WHEN: 2021 Dates Coming Soon!

PREREQUISITE: Completion of MFSC – Mac 1 class or comparable Mac Basic Course

COST: $1,495 US Dollars

COURSE NOTES:

Please read the following notes regarding this class:

  1. Classes begin at 8:00 AM ET and conclude at 5:00 PM ET, each day, with a one hour lunch break. Classes will end at 4:00 PM ET on the last day of class. Please do not arrange for departing flights prior to 7:00 PM ET to allow time for travel to the airport and any security clearances.
  2. The dress code for the conference is business casual (collared shirts and slacks).The wearing of shorts, flip flops, tank tops, etc. is not allowed in the classroom. Personal computers are not permitted in the classroom. Students are required to attend all classes to successfully complete the program. Students who fail to meet the attendance requirements will not be issued a certificate at the conclusion of the program.

HOTEL BOOKING:

The 2021 course will be taught at the Caribe Royale Hotel, 8101 World Center Drive, Orlando, Florida 32821 (USA).  This hotel is close to the Orlando International Airport, has a large pool, spacious workout facility and is very close to Disney World and Universal Studios.

CANCELLATION INFO:

If IACIS is unable to hold their 2021 Orlando training event, then all students who have registered and paid, will have the option of a full refund or a reserved seat at the 2022 training event.  IACIS is not responsible for any outside expenses (e.g. travel and accommodation) in the event of the training event being cancelled.  Anyone who paid for training will receive complementary membership through the year that their training takes place.