This specialist-level course is for experienced forensic investigators whose role requires them to expertly examine Apple devices, giving them knowledge and confidence in handling the data and forensic evidence in Mac OS X and iOS environments.


Apple is becoming increasingly popular and as a consequence, computers running Mac OS X operating systems are increasingly becoming the subject of forensic investigation.

This three-day course concentrates on identifying what is, how can I find, extract, decode and interpret the data stored on an Apple device from a forensic practitioner’s perspective using hands-on exercises to demonstrate and reinforce understanding.


Completion of the 7Safe CFIP course is highly recommended. Otherwise you will need:

  • Knowledge of the principles and guidelines surrounding forensic investigation
  • Basic knowledge of data structures, e.g. binary and hexadecimal

Who should attend?

Forensic practitioners, systems administrators and cyber investigators who want to extend their experience with Window-based systems to the Mac OS X and iOS environments.


Delegates will learn how to


  • You will learn the underlying data structures of Apple devices and the many forensic artefacts specific to Mac OS X and iOS.
  • You will practice using real life examples to identify, find, extract, decode and interpret the data stored on an Apple device from a forensic practitioner’s perspective


This course will give you the opportunity to:

  • Learn effective techniques for the identification and interpretation of forensic artefacts on OS X and iOS devices
  • Understand Apple disk partitioning and develop confidence when identifying and isolating artefacts from Apple devices
  • Improve your ability to respond effectively to a wider range of forensic incidents



  1. Apple device and OS development
  2. Review of forensics methodology and best practice
  3. Pro’s and con’s of using Windows based forensic software
  4. Latest OS X features
  5. Data structures - Plists & SQLite & Base64
  6. Seizure and imaging
  7. Disk Partitioning – APM & GPT
  8. Apple File Systems
  9. HFS+ in detail from a forensic perspective
  10. File Vault - encryption
  11. System Configuration
  12. User Accounts
  13. Log Files
  14. Printing
  15. Trash
  16. Popular Apps – E-mail, iMessage, iWorks
  17. Safari – Web browser
  18. Time Machine
  19. Introduction to iOS
  20. Seizure & Imaging (iPhone / iPad)
  21. Device specific artefacts
  22. iOS device backups
  23. Virtual machines
    1. Identifying, extracting and investigating virtual machines such as Parallels and VMWare Fusion
  24. OS X Versions
    1. How file versioning works, where they are stored and their forensic value
  25. Live data capture
    1. How to capture live data from a machine running OS X