ICAC-MFA Class List
ICAC-Cybercop 325 - Macintosh® Forensic Analysis
This course is funded through OJJDP. To register for this class, you must be affiliated with an ICAC Task Force. Furthermore, you must agree to comply with the Best Practices and Standards established by ICAC. If you have any questions about the ICAC Best Practices and Standards, please contact your ICAC commander.
This 4 day course begins by detailing the
partitioning schemes (including Apple® Partition Map, GUID Partition Table, and
Master Boot Record) supported by Mac OS X®. Next is an examination of the HFS+
file system to understand how Mac OS X’s® default file system stores data, what
changes occur when data is deleted, and how to recover deleted data. Focus will
then shift to the forensic analysis of Mac OS X® operating system and
application artifacts. Topics covered will include the Mac OS X® default folder
structure, system configuration, recently opened files and applications,
handling encryption issues, built-in applications artifacts (Safari®, Mail,
Messages®, iTunes®, FaceTime®, iPhoto®, Time Machine®, etc), and popular third
party applications artifacts (Chrome, FireFox, Skype, etc)
This course is designed for students who already have a solid understanding of computer forensic principles, have prior experience preserving and collecting data of evidentiary value from an Apple® Macintosh® computer, and are already comfortable navigating and using Mac OS X®. Students will use Mac OS X® and other third party tools, both free and commercial, currently in use by practitioners in the field.
PREREQUISITES: This course requires the student to have successfully completed Cybercop 215 – Macintosh® Triage and Imaging or have equivalent training and/or experience.
There are currently no scheduled classes for this course. If you are interested in knowing when the next class might be offered
or would like more information in general please see the training contact information on this page.
Back to List