Loading Events

« All Events

  • This event has passed.


December 3, 2018 - December 7, 2018

This course shows you how and why you are missing evidence using Windows-based tools and how to find what is missed by using a Mac to process a Mac.

This course was developed to provide vendor neutral and tool agnostic training that covers the process of examining a Macintosh computer from the first step to the last step in logical order. The course was designed for both the beginner Mac examiner as well as the advanced. Surprising to most is that the entire course is taught using a Mac to examine a Mac without the use of expensive automated forensic tools. Even more surprising is that the participants realize that they can find more evidence and find it faster! Additionally, this course was designed with the understanding that many agencies are dealing with limited budgets.

Topics include but are not limited to:

  • Overview of macOS Versions – identifies features of forensic importance in different macOS and when they appeared
  • Understanding the Mac File System Technology – a review of all file system technology supported by macOS such as APFS, Core Storage, Fusion Drives and macOS Extended
  • Intel Mac Technology and Bootcamp – explains the forensic significance of Mac Intel Technology
  • Mac Security Issues and FileVault Attacks – current best practices for dealing with Mac Security
  • Macintosh Search and Seizure – best practices for seizing Mac and iOS hardware
  • Safely Obtaining System Information – how to safely obtain system information without making changes to the evidence
  • Bypassing Open Firmware Passwords – explains OFP, how to remove OFP and if it is Necessary
  • Volatile Data Collection – how to build Trusted Utilities Disk and using it to collect volatile Information
  • Manual and Automated Imaging and Acquisition – using the Mac to safely image media both manually and with PALADIN
  • Imaging Mac RAM – exercises in imaging Mac RAM and recovering passwords
  • Verifying and Safely Mounting Forensic Images – safely mounting forensic images for Processing
  • Indexing Forensic Images – how to index forensic images using macOS
  • Search Techniques Using macOS – creating custom search expressions 
from the command-line and GUI
  • Locating Evidence (Email, Graphics, Internet Artifacts, Documents, System Artifacts, Instant Messaging, logs and more) – identifying Mac artifacts in the file system
  • Recovering Deleted Files – an exercise in manually recovering deleted files and the dangers of Mac optimization
  • Examining SQLite Databases and PLIST files – examining the heart of Mac data storage
  • Using macOS for Forensics – how to utilize built-in macOS technology for forensics
  • Report Development – how to create native reports using the Mac to properly view data
  • Examining iOS Devices Artifacts – identifying and examining iOS artifacts found on a Mac
  • Working with NTFS – integrating Mac forensics in a Windows-centric forensic lab
  • Review of Recommended Applications – our recommendations for commercial and non-commercial tools to assist with Mac forensics
  • Review of Automated Forensic Tools – our review of current automated Mac forensic tools
  • Recommended Macintosh Hardware Requirements for Forensics – recommendations of hardware for Mac forensic


December 3, 2018
December 7, 2018
Event Category:


Singapore + Google Map