Apple® Forensic Investigations


Price: $3,300.

Location: Virtual Instructor Led

More Info


Through hands-on learning and case-based scenarios, the student will learn from experts how to perform analysis of specific data artifacts that exist within Apple’s devices, including operating system and file system artifacts. This course will guide the student through the most important macOS and iOS device areas. The macOS and iOS operating systems, HFS+ and APFS file systems and significant application
data are explored throughout the class.


Upon concluding this course, the student will have reviewed up to three different case scenarios covering various file system, operating system and application artifacts relevant to real-life cases. Analysis methodologies are covered via hands-on work with actual data and instructor-led exercises. Knowledge is validated with an individual written and practical assessment. Through an interactive, hands-on approach, the student will gain a strong familiarity of macOS and iOS artifacts and the confidence with which to conduct thorough examinations.

  • Extensible Firmware Interface
    • EFI/Open Firmware
    • Boot Procedure
    • Safe Sleep
  • Triageand Imaging
    • Approaching a Live Running Mac
    • Gathering System Data
    • Booting and Imaging,T2 systems
    • RAM Collection
  • System Overview
    • macOS Overview
      • APFS, HFS+
      • Bootcamp
    • SQLite and plist files
      • What are they?
      • Why are they important?
      • Using SQL queries
  • DatesandTimes
    • macOS Date and Time attributes
/* Omit closing PHP tag at the end of PHP files to avoid "headers already sent" issues. */