ax350 cil – macos examinations
Duration: 4 days
Module 1 – Introduction and Course Overview
Module 2 – macOS Overview
• Information on the macOS operating system and APFS file system
• Security of macOS devices including the T2 chips, SIP, and other security protocols
• Key operating system artifacts for macOS (e.g. Finder, File System Events, Sidebar items, Trash Items, Installed Applications)
Module 3 – Starting our Examination
• Encryption issues such as FileVault2
• Methods to brute force FileVault2 using Passware
Module 4 – Log Files
• macOS log files: the unifed logs, configuration files, file/folder permissions, daily logs, USB connection history, and other artifacts to track user access of information.
Module 5 – Knowledge
• The KnowledgeC database
• Tools to extract additional information behind the KnowledgeC.db, e.g.:
Safari Browser History
Device Power Status
Module 6 – Internet Artifacts
• Examinations of browser history artifacts from Safari, Chrome, and Firefox.
Module 7 – User Accounts
• Artifacts: contacts, address books, saved Apple accounts, keychain information, installed applications, and logon/logoff times.
Module 8 – Email
• Recovering artifacts and attachments from data inside default mail application of macOS..
Module 9 – Mac Desktop
• Items stored in the mac Dock, the Menu Bar applications, recently used items, and possibilities of using thumbnails in an investigation.
Module 10 – Time Machine and Snapshots
• The Time Machine and Snapshot functionalities of macOS and the APFS file system and recovering files that may no longer be active.
Module 11 – Cloud Services
• An investigation of data stored on iCloud, OneDrive, and Google Drive.
Module 12 – Cumulative Review
• Practicing the techniques and analyzing the artifacts discussed throughout this course.
- You will have the knowledge and skills they need to acquire forensic images from computers, tablets, smartphones, and cloud evidence.You will be able to perform detailed investigation of macOS operating system.
- You will know how to recover artifacts from different sources.
- You will Use Magnet AXIOM Examine to explore the evidence in greater depth, simplifying analysis activities by intuitively linking facts and data.You will known how to get evidences that may be no longer active.
- You will learn how to make extraction of data stored on cloud services.
what could you
- Practice and theoretical training
- Training materials
- Knowledge about working with macOS devices, shared by forensic experts in the field
- A certificate of completion
who is the
- Service employees, policemen and persons with tasks related to computer forensics within the scope of their duties.
- Forensic analysts.
- Court experts, people responsible in corporations for responding to IT incidents, IT security specialists.
- Employees of IT security and SOCs departments in companies.