Loading Events

« All Events

MFSC-101: Online, Eastern Standard Time

February 9, 2026 - February 13, 2026
$3,199.00
MFSC-101 250203ON Event Banner v2

Best Practices in Mac Forensics will be presented by SUMURI from February 09 – 13, 2026, 8:00 AM to 5:00 PM EST.

SUMURI’s Macintosh Forensic Survival Course (MFSC-101) provides vendor-neutral training that covers the process of examining a Macintosh computer from the first step to the last step in logical order.

MFSC-101 is designed for both the beginner Mac examiner as well as the advanced. The knowledge you gain can be applied to any forensic tool on any platform. No sales pitch, just Mac forensics!

 

MFSC-101 is the first of the two prerequisite courses required for the Certified Forensic Mac Examiner (CFME). Learn more about our training courses and how to become a CFME: https://sumuri.com/mac-training/

Start your journey to certification and elevate your expertise today!

Item #2

Students will gain a foundational understanding of macOS file systems, focusing on the key differences between APFS and HFS+ and how they compare to non-Mac formats like exFAT and NTFS. The module covers challenges unique to analyzing each format, including how macOS handles volume management with technologies like synthesized disks, Core Storage, and Fusion Drives. This knowledge is essential for interpreting file structures and ensuring accurate evidence collection and analysis.

Learn the differences between APFS, HFS+, and other formats, along with challenges in analyzing each and related technologies like synthesized disks, Core Storage, and Fusion Drives.
Understand Intel-based Mac architecture, its differences from Apple Silicon, and forensic considerations for Secure Enclave, Secure Boot, Bootcamp, and virtualization.
Examine Apple Silicon architecture, security features, imaging challenges, and how to properly seize and analyze these newer devices.
Explore macOS security layers including Secure Enclave, Secure Boot, FileVault, and user permissions, plus examiner techniques for working within these constraints.
Learn seizure procedures to protect against risks like remote wipe, user traps, and evidence loss, with a step-by-step on-scene process.
Identify system details such as macOS version, hardware type, and security settings to guide acquisition decisions for live and powered-down Macs.
Understand challenges in modern RAM capture and learn alternative methods for collecting valuable live-response data before it is lost.
Gain hands-on experience performing logical and physical imaging, selecting source disks, and using free tools to acquire data securely.
Safely mount images to preserve evidence while enabling access to indexed data and macOS-native search tools.
Use macOS indexing and search from both GUI and command line to locate evidence quickly and efficiently.
Learn to locate, analyze, and extract data from Apple’s native apps, building skills for unsupported or unfamiliar artifacts.
Test recovery methods while understanding the impact of APFS, TRIM, encryption, and hardware limitations on file recovery.
Locate and analyze these key artifacts with proper tools, SQL queries, and PLIST conversion techniques.
Create high-quality, native-format reports using macOS tools to present artifacts accurately and clearly.

Secure Your Spot – Limited Seats Available!

Item #2

Understanding the Mac File System Technology

A review of all file system technology supported by macOS such as APFS, Core Storage, Fusion Drives, and macOS Extended.

Intel Mac Technology and Bootcamp

Explains the forensic significance of Mac Intel Technology

Silicon Mac Technology

Explains the unique issues and forensic significance of M1 Silicon Technology

Mac Security Issues and FileVault Attacks

Current best practices for dealing with Mac Security

Macintosh Search and Seizure

Best practices for seizing Mac and iOS hardware

Safely Obtaining System Information

How to safely obtain system information without making changes to the evidence

Open Firmware Passwords

Explains OFP, how to set and remove OFP if it is necessary

Volatile Data Collection

Discussion on unique issues concerning Mac Volatile Data, methods to collect it, and the need for a Trusted Utilities Disk

Forensic Imaging

Discussion and exercises on imaging Intel and M1 Silicon Macs to include issues present by Mac security features

Imaging Mac RAM

Discussion on the challenges in capturing RAM due to macOS security features

Mounting Forensic Images in the macOS

Safely mounting forensic images for Processing and analysis

Indexing Forensic Images

How to index forensic images using macOS

Search Techniques Using macOS

Creating custom search expressions 
from the command-line and GUI

Locating Evidence

How to identify, analyze and extract macOS and application artifacts such as Email, Graphics, Internet Artifacts, Documents, System Artifacts, Instant Messaging, logs, and more

Recovering Deleted Files

An exercise in manually recovering deleted files and the dangers of Mac optimization

Examining SQLite Databases and PLIST files

Examining the heart of Mac data storage

Using macOS for Forensics

How to utilize built-in macOS technology for forensics

Report Development

How to create native reports using the Mac to view data properly

Recommendations for Mac Forensics system configuration and hardware

Our recommendations for commercial and non-commercial tools to assist with Mac forensics.

Secure Your Spot – Limited Seats Available!

Details

Start:
February 9, 2026
End:
February 13, 2026
Cost:
$3,199.00
Event Categories:
,

Tickets

The numbers below include tickets for this event already in your cart. Clicking "Get Tickets" will allow you to edit any existing attendee information as well as change ticket quantities.
MFSC-101 260209ON
This MFSC-101 US Eastern Online Course is open for registration and will be taught in the US Eastern Standard Time. Visit our website for more information.
$ 3,199.00
24 available
Scroll to Top