AX350 Magnet AXIOM macOS Examinations (13-16 April 2021)

Date:13-16 April 2021

Price: $3,199.00 excl. Tax

Location: Live online

Time: 9:00 am - 5:00 pm CDT

Presented by Hoyt HarnessDoug Estes

Description

This course is an expert-level four-day training course, designed for participants who are somewhat familiar with the principles of digital forensics and who are seeking to expand their knowledge base on macOS and the forensic analysis of devices using the APFS file system and AXIOM.  Examiners will investigate a scenario dealing with a misconfigured web server that allowed hackers to exploit vulnerabilities and gain access to the network to perform a nefarious activity and steal intellectual property and potentially customer data as well.

What to Expect

Hear directly from Christopher Vance, Manager of Curriculum Development at Magnet Forensics, about why you should take our Magnet AXIOM macOS Examinations (AX350) course, what you can expect when you take it, and what type of real-life experience he brings to the classroom.

Course Prerequisites

Because AX350 is an expert-level course, it is strongly recommended that students first complete Magnet AXIOM Examinations (AX200). AX200 will provide a thorough understanding of AXIOM that will help students focus on the Macintosh based forensic artifacts and investigations in AX350. Click Here to find out more about AX200.

Course Modules

 

MODULE 1: INTRODUCTION AND COURSE OVERVIEW

  • This module will introduce the course to students as well as cover the scenario that will be followed over the four-day training.

MODULE 2: MACOS OVERVIEW

  • This module will walk through information on the macOS operating system and APFS file system. Including changes to the security of macOS devices including the T2 chips, SIP, and other security protocols being used by Apple. Students will also discuss proper handling techniques for macOS devices.
  • Several key operating system artifacts for macOS will be covered including Finder, File System Events, Sidebar items, Trash Items, Installed Applications, and more.

MODULE 3: STARTING OUR EXAMINATION

  • In this module students will discuss encryption issues such as FileVault2 and methods that can be taken to brute force this technology using Passware.

MODULE 4:LOG FILES

  • This module will cover several macOS log files such as the unified logs, configuration files, file/folder permissions, daily logs, USB connection history, and other key logging artifacts to track user access of information.

MODULE 5: KNOWLEDGEC

  • Having access to precise and granular user and application usage can be extremely useful in a forensic investigation. The KnowledgeC database stores a wealth of information about the macOS usage as well as user activity. Several of the key things tracked in this database will be shown as well as open source tools to extract additional information behind the KnowledgeC.db. Some of the information gleaned from the KnowledgeC.db is:
    • Application Usage
    • Application Activities
    • Safari Browser History
    • Device Power Status

MODULE 6: INTERNET ARTIFACTS

  • Several browser history artifacts from Safari, Chrome, and Firefox will be examined to assist in the investigation and collection of evidence in furtherance of the investigation being carried out by the students.

MODULE 7: USER ACCOUNTS

  • Understanding the data specific to a user account can be key in an investigation. This module will cover Artifacts dealing with contacts, address books, saved apple accounts, keychain information, installed applications, and logon/logoff times.

MODULE 8: EMAIL

  • The default mail application (Mail.App) stores both email and calendar data inside macOS. This module will discuss how to recover artifacts and attachments from these stored files.

MODULE 9: MAC DESKTOP

  • The macOS Desktop stores several valuable artifacts around what a user has been accessing. This module will walk students through looking at the items stored in the mac Dock, the Menu Bar applications, recently used items, and the quick-look thumbnails and how they can be used in an investigation.

MODULE 10: TIME MACHINE AND SNAPSHOTS

  • Time Machine is a built-in backup methodology for macOS.  In this module, students will cover the Time Machine and Snapshot functionalities of macOS and the APFS file system. This information will be valuable in trying to recover files that may no longer be active on the macOS system.

MODULE 11: CLOUD SERVICES

  • MacOS users typically have an Apple ID and with it, free iCloud storage. This cloud storage can prove important in an investigation as well as other cloud sources of data such as OneDrive and Google Drive.  Understanding how macOS uses these services and wht databases control the flow of data between the cloud service and the host computer is imperative to solving these types of investigations.

MODULE 12: CUMULATIVE REVIEW

  • A final practical will walk students through practicing the techniques and analyzing the artifacts discussed throughout this course.
/* Omit closing PHP tag at the end of PHP files to avoid "headers already sent" issues. */