About this Course Course Outline This course aims to enable investigators to investigate the apple devices they encounter. The increasing Topic 1: Mac and iOS Essentials popularity of Apple devices can be seen everywhere, from college reading rooms, television, restaurants to This topic introduces the student to Mac and corporate boardrooms. Dealing with these devices as iOS essentials such as acquisition, timestamps, an investigator is no longer a niche skill. logical , and disk structure. Apple Essentials Learning Outcomes o Mac and iOS Systems • Mac and iOS Fundamentals: How to analyze and o Mac Analysis in a Windows World parse the (HFS+) and o Apple Fundamentals Apple File System (APFS) by hand and recognize the specific domains of the logical file system and Mac Essentials and Acquisition Mac-specific file types. o Mac File System Domains • User Activity: How to understand and profile o Mac Directory Structures users through their data and preference o Containers and Sandboxes configurations. o Acquisition Pitfalls and Considerations • Advanced Intrusion Analysis and Correlation: How o Hard Drive, Network, and Memory Acquisition to determine how a system has been used or Tools compromised by using the system and user data o Image Mounting Using Open-Source Utilities files in correlation with system log files. • Apple Technologies: How to understand and iOS Essentials and Acquisition analyze many Mac and iOS-specific technologies, o Differences between iOS and macOS including Time Machine, , iCloud, o Security and Document Versions, FileVault, Continuity, and o Jailbreaks FaceTime. o Acquisition Types and Differences o Local and iCloud Backups o Tools for Acquisition and Analysis o Passcode Bypass and Cracking

1 Disks and Partitions Spotlight o Disk Layout o Analysis Methods and Tools o Partition Schemes o Practical Queries o GPT o Portable Artifacts o FileVault o Artifacts Left Behind by Macs o Disk Images o Differences from Various File Systems o CoreStorage o APFS Containers Mac and iOS Triage o Bootcamp o OS Version o Fusion Drives o Device Identifying Data o System Installation Topic 2: File Systems & System Triage o Network Settings o Time Zone and Location Services In this topic, students will learn the basic o User Accounts principles of the primary file system o Managed Devices implemented on MacOS systems. Students will o Mail and Internet Account Settings then use that information to look at a variety of great artifacts that use the file system Most Recently Used (MRUs) and that are different from other operating o Recent iOS Apps systems students have seen in the past. o Recent Folders Rounding out the day, students will review o Recent Applications Mac and iOS triage data. o Recent Documents o Recent Servers File Systems o Recent Files o Overview of HFS+ & APFS o Parsing Methods and Tools o Data Structures o Alias and Bookmark BLOBs o Manual Parsing o NSKeyed Archiver Plist File Manual Parsing o APFS Clones o APFS Snapshots Topic 3: User Data, Configuration, and o APFS Benefits and Caveats Log Analysis o Tool Output and Caveats This topic contains a wide array of information Extended Attributes that can be used to profile and understand o Contents how individuals use their computers. The topic o Analysis also details basic , GUI o Tool Support preferences, and system application data. A o Interesting Attributes basic analysis of system logs can provide a good understanding of how a system was used or File System Events Store Database abused. o Usage o Parsing with Tools o Practical Analysis

For Inquiries, booking and more information, Call Admissions on 0393517236/0783517236 or Email: [email protected] 2 User Data and System Configuration Native Application Fundamentals o Bash History o Locations o Keychains o Snapshots o Printing o Firewall Settings Browser o Sharing Settings o History o Bluetooth o Cache o Autoruns o Syncing o Application Bundles o Private Mode o Software Updates o Data Retention o GUI Settings

Log Parsing and Analysis o Log Basics o Locations and Data Access o Log Formats o Mail Accounts and Configuration o Log Recovery o Attachments o Log Types (Unix, BSM Audit, Apple System Logs o Metadata (ASL) and Unified) o Log Configuration Communication o Analysis Methods and Parsing Tools o iChat/ o FaceTime Timeline Analysis and Data Correlation o SMS o Temporal Context and Timestamps o iMessage o Analysis o Call History o Temporal Changes o Voicemail o System Information and State o Network Analysis and o User Access o Files o Privilege Escalation o Database Analysis o Account Creation/Deletion o Software Installation o Backup Activity o Files o Locational Data o Database Analysis

Topic 4: Application data Analysis o Files This topic will explore the various databases o Database Analysis and other files where data are being stored. o Version Differences o Media Analysis Application Permissions o Privacy Settings , Wallet, Passes o Location Services o Files o Database Analysis

3 iCloud Photos o Synced Accounts o Files o Mobile Documents o Database Analysis o Synced Preferences o iCloud Syncing Malware and Intrusion Analysis Maps o Intrusion Analysis o Files o Java Cache and IDX Files o Database Analysis o File Quarantine o Caveats o XProtect o Gatekeeper Location Data o Routine, WiFi, Cellular Locations Live Response o Files o Live Triage Techniques o Database Analysis o Volatile Data Collection o Tools and Parsing Memory Acquisitions and Analysis o Acquisition Tools o Files o Analysis Tools o Capabilities o Synced Data Password Cracking and Encrypted Containers o Password Shadow Files Third-Party Apps o Cracking Software o Locations o Keychains o Analysis Caveats o FileVault o Data Structure o Encrypted Volumes and Disk Images o Analysis Tools Topic 6: Mac Forensics & Incident Response Topic 5: Advanced Analysis • In-Depth File System Examination Time Machine • File System Timeline Analysis o Backup Settings • Advanced Computer Forensics Methodology o Backup Volumes • Mac Memory Analysis o Snapshot Analysis • File System Data Analysis o Local Snapshots • Metadata Analysis o Encrypted Backups • Recovering Key Mac Files o Mounting and Analysis • Volume and Disk Image Analysis • Advanced Log Analysis and Correlation Document Versions • iDevice Analysis and iOS Artifacts o Versions Metadata o Versions Database Prerequisites o Generations • In-Depth File System Examination o Chunk Storage • File System Timeline Analysis • Advanced Computer Forensics Methodology • Mac Memory Analysis • File System Data Analysis

For Inquiries, booking and more information, Call Admissions on 0393517236/0783517236 or 4 Email: [email protected] • Metadata Analysis • Recovering Key Mac Files • Volume and Disk Image Analysis Target Audience • In-Depth File System Examination • File System Timeline Analysis • Advanced Computer Forensics Methodology • Mac Memory Analysis • File System Data Analysis • Metadata Analysis • Recovering Key Mac Files • Volume and Disk Image Analysis • Analysis of Mac Technologies including Time Machine, Spotlight, and FileVault • Advanced Log Analysis and Correlation • iDevice Analysis and iOS Artifacts

For Inquiries, booking and more information, Call Admissions on 0393517236/0783517236 or Email: [email protected] 5