Mac I: Best Practices in Mac Forensics

This course shows you how and why you are missing evidence using Windows-based tools and how to find what is missed by using a Mac to process a Mac.

Steve Whalen developed the course to provide vendor neutral and tool agnostic training that covers the process of examining a Macintosh computer from the first step to the last step in logical order. The course was designed for both the beginner Mac examiner as well as the advanced. Surprising to most is that the entire course is taught using a Mac to examine a Mac without the use of expensive automated forensic tools. Even more surprising is that the participants realize that they can find more evidence and find it faster! Additionally, this course was designed with the understanding that many agencies are dealing with limited budgets.

Topics include but are not limited to:

  • Overview of macOS Versions – identifies features of forensic importance in different macOS and when they appeared
  • Understanding the Mac File System Technology – a review of all file system technology supported by macOS such as APFS, Core Storage, Fusion Drives and macOS Extended
  • Intel Mac Technology and Bootcamp – explains the forensic significance of Mac Intel Technology
  • Mac Security Issues and FileVault Attacks – current best practices for dealing with Mac Security
  • Macintosh Search and Seizure – best practices for seizing Mac and iOS hardware
  • Safely Obtaining System Information – how to safely obtain system information without making changes to the evidence
  • Bypassing Open Firmware Passwords – explains OFP, how to remove OFP and if it is Necessary
  • Volatile Data Collection – how to build Trusted Utilities Disk and using it to collect volatile Information
  • Manual and Automated Imaging and Acquisition – using the Mac to safely image media both manually and with PALADIN
  • Imaging Mac RAM – exercises in imaging Mac RAM and recovering passwords
  • Verifying and Safely Mounting Forensic Images – safely mounting forensic images for Processing
  • Indexing Forensic Images – how to index forensic images using macOS
  • Search Techniques Using macOS – creating custom search expressions 
from the command-line and GUI
  • Locating Evidence (Email, Graphics, Internet Artifacts, Documents, System Artifacts, Instant Messaging, logs and more) – identifying Mac artifacts in the file system
  • Recovering Deleted Files – an exercise in manually recovering deleted files and the dangers of Mac optimization
  • Examining SQLite Databases and PLIST files – examining the heart of Mac data storage
  • Using macOS for Forensics – how to utilize built-in macOS technology for forensics
  • Report Development – how to create native reports using the Mac to properly view data
  • Examining iOS Devices Artifacts – identifying and examining iOS artifacts found on a Mac
  • Working with NTFS – integrating Mac forensics in a Windows centric forensic lab
  • Review of Recommended Applications – our recommendations for commercial and non-commercial tools to assist with Mac forensics
  • Review of Automated Forensic Tools – our review of current automated Mac forensic tools
  • Recommended Macintosh Hardware Requirements for Forensics – recommendations of hardware for Mac forensics

WHEN: 2021 Dates Coming Soon!

COST: $1,495 US Dollars

COURSE NOTES:

Please read the following notes regarding this class:

  1. Classes begin at 8:00 AM ET and conclude at 5:00 PM ET, each day, with a one hour lunch break. Classes will end at 4:00 PM ET on the last day of class. Please do not arrange for departing flights prior to 7:00 PM ET to allow time for travel to the airport and any security clearances.
  2. The dress code for the conference is business casual (collared shirts and slacks).The wearing of shorts, flip flops, tank tops, etc. is not allowed in the classroom. Personal computers are not permitted in the classroom. Students are required to attend all classes to successfully complete the program. Students who fail to meet the attendance requirements will not be issued a certificate at the conclusion of the program.

HOTEL BOOKING:

The 2021 course will be taught at the Caribe Royale Hotel, 8101 World Center Drive, Orlando, Florida 32821 (USA).  This hotel is close to the Orlando International Airport, has a large pool, spacious workout facility and is very close to Disney World and Universal Studios.

CANCELLATION INFO:

If IACIS is unable to hold their 2021 Orlando training event, then all students who have registered and paid, will have the option of a full refund or a reserved seat at the 2022 training event.  IACIS is not responsible for any outside expenses (e.g. travel and accommodation) in the event of the training event being cancelled.  Anyone who paid for training will receive complementary membership through the year that their training takes place.