MFSC-101: Online, Eastern Standard Time
Best Practices in Mac Forensics will be presented by SUMURI from February 09 – 13, 2026, 8:00 AM to 5:00 PM EST.
SUMURI’s Macintosh Forensic Survival Course (MFSC-101) provides vendor-neutral training that covers the process of examining a Macintosh computer from the first step to the last step in logical order.
MFSC-101 is designed for both the beginner Mac examiner as well as the advanced. The knowledge you gain can be applied to any forensic tool on any platform. No sales pitch, just Mac forensics!
MFSC-101 is the first of the two prerequisite courses required for the Certified Forensic Mac Examiner (CFME). Learn more about our training courses and how to become a CFME: https://sumuri.com/mac-
Start your journey to certification and elevate your expertise today!
Item #2
Topics to include but are not limited to:
Students will gain a foundational understanding of macOS file systems, focusing on the key differences between APFS and HFS+ and how they compare to non-Mac formats like exFAT and NTFS. The module covers challenges unique to analyzing each format, including how macOS handles volume management with technologies like synthesized disks, Core Storage, and Fusion Drives. This knowledge is essential for interpreting file structures and ensuring accurate evidence collection and analysis.
Learn the differences between APFS, HFS+, and other formats, along with challenges in analyzing each and related technologies like synthesized disks, Core Storage, and Fusion Drives.
Understand Intel-based Mac architecture, its differences from Apple Silicon, and forensic considerations for Secure Enclave, Secure Boot, Bootcamp, and virtualization.
Examine Apple Silicon architecture, security features, imaging challenges, and how to properly seize and analyze these newer devices.
Explore macOS security layers including Secure Enclave, Secure Boot, FileVault, and user permissions, plus examiner techniques for working within these constraints.
Learn seizure procedures to protect against risks like remote wipe, user traps, and evidence loss, with a step-by-step on-scene process.
Identify system details such as macOS version, hardware type, and security settings to guide acquisition decisions for live and powered-down Macs.
Understand challenges in modern RAM capture and learn alternative methods for collecting valuable live-response data before it is lost.
Gain hands-on experience performing logical and physical imaging, selecting source disks, and using free tools to acquire data securely.
Safely mount images to preserve evidence while enabling access to indexed data and macOS-native search tools.
Use macOS indexing and search from both GUI and command line to locate evidence quickly and efficiently.
Learn to locate, analyze, and extract data from Apple’s native apps, building skills for unsupported or unfamiliar artifacts.
Test recovery methods while understanding the impact of APFS, TRIM, encryption, and hardware limitations on file recovery.
Locate and analyze these key artifacts with proper tools, SQL queries, and PLIST conversion techniques.
Create high-quality, native-format reports using macOS tools to present artifacts accurately and clearly.