This training is intended for LAW ENFORCEMENT personnel:
those who are directly attached to or work in support of a law enforcement
agency. Please register using your agency-issued email.
This course teaches students to identify and
collect volatile data, acquire forensically-sound images of Apple Macintosh
computers, and perform forensic analysis of macOS operating system and
application artifacts. Students gain hands-on experience scripting and using
automated tools to conduct a simulated live triage, and use multiple methods to
acquire forensically-sound images of Apple Macintosh computers. Topics include
how the macOS default file system stores data, what happens when files are sent
to the macOS Trash, where operating system and application artifacts are stored,
and how they can be analyzed. Forensic artifacts covered include password
recovery, recently-opened files and applications, encryption handling, Mail,
Safari, Messages, FaceTime, Photos, Chrome, and Firefox.
Performing live triage. Preserving data
from systems in different states. Commands for collecting non-persistent data.
Introduction to shell scripting.
Macintosh imaging. Manual and automated
imaging methods. Identify imaging challenges.
Processing basics. Mounting
images; viewing hidden files; the standard OS X directory structure.
Partitioning schemes. Apple Partition
Map, GUID Partition Table, Master Boot Record.
HFS+. Structure of an HFS+ formatted
storage volume and how files and directories are tracked and saved.
Operating system and application
This is an advanced course, intended for
digital forensic examiners who have experience working with macOS, and
experience preserving and collecting data of evidentiary value.
NW3C recommends that students complete the following courses before
registering for Advanced Digital Forensic Analysis: macOS.
All classes are subject to
cancellation up to 45 days before the start of class if the minimum class
registration threshold is not met.