This specialist-level course is for experienced forensic investigators whose role requires them to expertly examine Apple devices, giving them knowledge and confidence in handling the data and forensic evidence in Mac OS X and iOS environments.
Apple is becoming increasingly popular and as a consequence, computers running Mac OS X operating systems are increasingly becoming the subject of forensic investigation.
This three-day course concentrates on identifying what is, how can I find, extract, decode and interpret the data stored on an Apple device from a forensic practitioner’s perspective using hands-on exercises to demonstrate and reinforce understanding.
Completion of the 7Safe CFIP course is highly recommended. Otherwise you will need:
- Knowledge of the principles and guidelines surrounding forensic investigation
- Basic knowledge of data structures, e.g. binary and hexadecimal
Who should attend?
Forensic practitioners, systems administrators and cyber investigators who want to extend their experience with Window-based systems to the Mac OS X and iOS environments.
Delegates will learn how to
THE SKILLS YOU WILL LEARN
- You will learn the underlying data structures of Apple devices and the many forensic artefacts specific to Mac OS X and iOS.
- You will practice using real life examples to identify, find, extract, decode and interpret the data stored on an Apple device from a forensic practitioner’s perspective
This course will give you the opportunity to:
- Learn effective techniques for the identification and interpretation of forensic artefacts on OS X and iOS devices
- Understand Apple disk partitioning and develop confidence when identifying and isolating artefacts from Apple devices
- Improve your ability to respond effectively to a wider range of forensic incidents
- Apple device and OS development
- Review of forensics methodology and best practice
- Pro’s and con’s of using Windows based forensic software
- Latest OS X features
- Data structures - Plists & SQLite & Base64
- Seizure and imaging
- Disk Partitioning – APM & GPT
- Apple File Systems
- HFS+ in detail from a forensic perspective
- File Vault - encryption
- System Configuration
- User Accounts
- Log Files
- Popular Apps – E-mail, iMessage, iWorks
- Safari – Web browser
- Time Machine
- Introduction to iOS
- Seizure & Imaging (iPhone / iPad)
- Device specific artefacts
- iOS device backups
- Identifying, extracting and investigating virtual machines such as Parallels and VMWare Fusion
OS X Versions
- How file versioning works, where they are stored and their forensic value
Live data capture
- How to capture live data from a machine running OS X