MODULE 1: INTRODUCTION AND COURSE OVERVIEW
- This module will introduce the course to students as well as cover the scenario that will be followed over the four-day training.
MODULE 2: MACOS OVERVIEW
- This module will walk through information on the macOS operating system and APFS file system. Including changes to the security of macOS devices including the T2 chips, SIP, and other security protocols being used by Apple. Students will also discuss proper handling techniques for macOS devices.
- Several key operating system artifacts for macOS will be covered including Finder, File System Events, Sidebar items, Trash Items, Installed Applications, and more.
MODULE 3: STARTING OUR EXAMINATION
- In this module students will discuss encryption issues such as FileVault2 and methods that can be taken to brute force this technology using Passware.
MODULE 4:LOG FILES
- This module will cover several macOS log files such as the unified logs, configuration files, file/folder permissions, daily logs, USB connection history, and other key logging artifacts to track user access of information.
MODULE 5: KNOWLEDGEC
- Having access to precise and granular user and application usage can be extremely useful in a forensic investigation. The KnowledgeC database stores a wealth of information about the macOS usage as well as user activity. Several of the key things tracked in this database will be shown represented as artifacts such as:
- Application Usage
- Application Activities
- Safari Browser History
- Device Power Status
In addition to better understanding KnowledgeC, the powerlog database stored on macOS will be explored to better help examiners validate and understand tracking user behaviors.
MODULE 6: INTERNET ARTIFACTS
- Several browser history artifacts from Safari, Chrome, and Firefox will be examined to assist in the investigation and collection of evidence in furtherance of the investigation being carried out by the students.
- Students will also explore how to use valuable information populated by internet browsers into extended attributes of files.
MODULE 7: USER ACCOUNTS
- Understanding the data specific to a user account can be key in an investigation. This module will cover Artifacts dealing with contacts, address books, saved apple accounts, keychain information, installed applications, and logon/logoff times.
MODULE 8: EMAIL
- The default mail application (Mail.App) stores both email and calendar data inside macOS. This module will discuss how to recover artifacts and attachments from these stored files.
MODULE 9: MAC DESKTOP
- The macOS Desktop stores several valuable artifacts around what a user has been accessing. This module will walk students through looking at the items stored in the mac Dock, the Menu Bar applications, recently used items, and the quick-look thumbnails and how they can be used in an investigation.
- Examiners will also explore the AXIOM artifact Rebuilt Desktop – macOS to get a better visual representation of how these artifacts function to help determine user behaviors.
MODULE 10: TIME MACHINE AND SNAPSHOTS
- Time Machine is a built-in backup methodology for macOS. In this module, students will cover the Time Machine and Snapshot functionalities of macOS and the APFS file system. This information will be valuable in trying to recover files that may no longer be active on the macOS system.
MODULE 11: CLOUD SERVICES
- MacOS users typically have an Apple ID and with it, free iCloud storage. This cloud storage can prove important in an investigation as well as other cloud sources of data such as OneDrive and Google Drive; Understanding how macOS uses these services and what databases control the flow of data between the cloud service and the host computer is imperative to solving these types of investigations.
MODULE 12: CUMULATIVE REVIEW
- A final practical will walk students through practicing the techniques and analyzing the artifacts discussed throughout this course.