Learn to interpret OS X dates and times.
Welcome to the Surviving Digital Forensics series. This class is focused on helping you get a better understanding of OS X Time Stamps and to become a better Mac examiner.
As with previous SDF classes you will learn by doing. The class begins with a brief overview of OS X time – as Apple sees it – then we will get into a number of validation exercises to see how user activity really affects Apple time stamps. Learning is hands on and we will use applications already installed on your Mac to do so.
Expert and novice Mac examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply to all versions of OS X. Therefore you are not just going to learn about OS X timestamps but learn a method you can use to answer many date and time questions that may come up in the future.
- Students will learn about OS X timestamps as Apple defines them
- Students will learn how OS X timestamps really behave by doing a number of instructor lead validation exercises that address the affects of common user activity
- Students will learn how to use the Terminal.app in order to find OS X date & time attributes
- Students will learn a validation methodology which may be applied to answer future date and time attribute questions
- Students will learn a validation methodology which may be applied to different versions of OS X
- Beware of latency issues!
- Validation Exercise – Creating a file
- Validation Exercise – Editing a file
- Validation Exercise – Accessing a file
- Validation Exercise – Moving a file within the same volume
- Validation Exercise – Moving a file to a different volume
- Validation Exercise – Downloading a file
- Validation Exercise – Deleting a file
- Summary of OS X Timestamp Findings