This course teaches
students to identify and collect volatile data, acquire forensically-sound
images of Apple Macintosh computers, and perform forensic analysis of macOS
operating system and application artifacts. Students gain hands-on experience
scripting and using automated tools to conduct a simulated live triage, and use
multiple methods to acquire forensically-sound images of Apple Macintosh
computers. Topics include how the macOS default file system stores data, what
happens when files are sent to the macOS Trash, where operating system and
application artifacts are stored, and how they can be analyzed. Forensic
artifacts covered include password recovery, recently-opened files and
applications, encryption handling, Mail, Safari, Messages, FaceTime, Photos,
Chrome, and Firefox.
Performing live triage. Preserving data
from systems in different states. Commands for collecting non-persistent data.
Introduction to shell scripting.
Macintosh imaging. Manual and automated
imaging methods. Identify imaging challenges.
Processing basics. Mounting
images; viewing hidden files; the standard OS X directory structure.
Partitioning schemes. Apple Partition
Map, GUID Partition Table, Master Boot Record.
HFS+. Structure of an HFS+ formatted
storage volume and how files and directories are tracked and saved.
Operating system and application
This is an advanced course, intended for
digital forensic examiners who have experience working with macOS, and
experience preserving and collecting data of evidentiary value.
NW3C recommends that students complete the following courses before
registering for Advanced Digital Forensic Analysis: macOS.
All classes are subject to
cancellation up to 45 days before the start of class if the minimum class
registration threshold is not met.