This specialist-level course is for experienced forensic investigators whose role requires them to expertly examine Apple devices, giving them knowledge and confidence in handling the data and forensic evidence in Mac OS X and iOS environments.


Apple is becoming increasingly popular and as a consequence, computers running Mac OS X operating systems are increasingly becoming the subject of forensic investigation.

This three-day course concentrates on identifying what is, how can I find, extract, decode and interpret the data stored on an Apple device from a forensic practitioner’s perspective using hands-on exercises to demonstrate and reinforce understanding.

Read more


Completion of the 7Safe CFIP course is highly recommended. Otherwise you will need:

  • Knowledge of the principles and guidelines surrounding forensic investigation
  • Basic knowledge of data structures, e.g. binary and hexadecimal

Who should attend?

Forensic practitioners, systems administrators and cyber investigators who want to extend their experience with Window-based systems to the Mac OS X and iOS environments.


Read more

Delegates will learn how to


  • You will learn the underlying data structures of Apple devices and the many forensic artefacts specific to Mac OS X and iOS.
  • You will practice using real life examples to identify, find, extract, decode and interpret the data stored on an Apple device from a forensic practitioner’s perspective


This course will give you the opportunity to:

  • Learn effective techniques for the identification and interpretation of forensic artefacts on OS X and iOS devices
  • Understand Apple disk partitioning and develop confidence when identifying and isolating artefacts from Apple devices
  • Improve your ability to respond effectively to a wider range of forensic incidents
Read more



  1. Apple device and OS development
  2. Review of forensics methodology and best practice
  3. Pro’s and con’s of using Windows based forensic software
  4. Latest OS X features
  5. Data structures - Plists & SQLite & Base64
  6. Seizure and imaging
  7. Disk Partitioning – APM & GPT
  8. Apple File Systems
  9. HFS+ in detail from a forensic perspective
  10. File Vault - encryption
  11. System Configuration
  12. User Accounts
  13. Log Files
  14. Printing
  15. Trash
  16. Popular Apps – E-mail, iMessage, iWorks
  17. Safari – Web browser
  18. Time Machine
  19. Introduction to iOS
  20. Seizure & Imaging (iPhone / iPad)
  21. Device specific artefacts
  22. iOS device backups
  23. Virtual machines
    1. Identifying, extracting and investigating virtual machines such as Parallels and VMWare Fusion
  24. OS X Versions
    1. How file versioning works, where they are stored and their forensic value
  25. Live data capture
    1. How to capture live data from a machine running OS X
Read more

Why choose QA

Frequently asked questions

See all of our FAQs

How can I create an account on myQA.com?

There are a number of ways to create an account. If you are a self-funder, simply select the "Create account" option on the login page.

If you have been booked onto a course by your company, you will receive a confirmation email. From this email, select "Sign into myQA" and you will be taken to the "Create account" page. Complete all of the details and select "Create account".

If you have the booking number you can also go here and select the "I have a booking number" option. Enter the booking reference and your surname. If the details match, you will be taken to the "Create account" page from where you can enter your details and confirm your account.

Find more answers to frequently asked questions in our FAQs: Bookings & Cancellations page.

How do QA’s virtual classroom courses work?

Our virtual classroom courses allow you to access award-winning classroom training, without leaving your home or office. Our learning professionals are specially trained on how to interact with remote attendees and our remote labs ensure all participants can take part in hands-on exercises wherever they are.

We use the WebEx video conferencing platform by Cisco. Before you book, check that you meet the WebEx system requirements and run a test meeting (more details in the link below) to ensure the software is compatible with your firewall settings. If it doesn’t work, try adjusting your settings or contact your IT department about permitting the website.

Learn more about our Virtual Classrooms.

How do QA’s online courses work?

QA online courses, also commonly known as distance learning courses or elearning courses, take the form of interactive software designed for individual learning, but you will also have access to full support from our subject-matter experts for the duration of your course. When you book a QA online learning course you will receive immediate access to it through our e-learning platform and you can start to learn straight away, from any compatible device. Access to the online learning platform is valid for one year from the booking date.

All courses are built around case studies and presented in an engaging format, which includes storytelling elements, video, audio and humour. Every case study is supported by sample documents and a collection of Knowledge Nuggets that provide more in-depth detail on the wider processes.

Learn more about QA’s online courses.

When will I receive my joining instructions?

Joining instructions for QA courses are sent two weeks prior to the course start date, or immediately if the booking is confirmed within this timeframe. For course bookings made via QA but delivered by a third-party supplier, joining instructions are sent to attendees prior to the training course, but timescales vary depending on each supplier’s terms. Read more FAQs.

When will I receive my certificate?

Certificates of Achievement are issued at the end the course, either as a hard copy or via email. Read more here.

Contact Us

Please contact us for more information