ax350 cil – macos examinations

Duration: 4 days

Module 1 – Introduction and Course Overview

Module 2 – macOS Overview

• Information on the macOS operating system and APFS file system
• Security of macOS devices including the T2 chips, SIP, and other security protocols
• Key operating system artifacts for macOS (e.g. Finder, File System Events, Sidebar items, Trash Items, Installed Applications)

Module 3 – Starting our Examination

• Encryption issues such as FileVault2
• Methods to brute force FileVault2 using Passware

Module 4 – Log Files

• macOS log files: the unifed logs, configuration files, file/folder permissions, daily logs, USB connection history, and other artifacts to track user access of information.

Module 5 – Knowledge

• The KnowledgeC database
• Tools to extract additional information behind the KnowledgeC.db, e.g.:

Application Usage
Application Activities
Safari Browser History
Device Power Status

Module 6 – Internet Artifacts

• Examinations of browser history artifacts from Safari, Chrome, and Firefox.

Module 7 – User Accounts

• Artifacts: contacts, address books, saved Apple accounts, keychain information, installed applications, and logon/logoff times.

Module 8 – Email

• Recovering artifacts and attachments from data inside default mail application of macOS..

Module 9 – Mac Desktop

• Items stored in the mac Dock, the Menu Bar applications, recently used items, and possibilities of using thumbnails in an investigation.

Module 10 – Time Machine and Snapshots

• The Time Machine and Snapshot functionalities of macOS and the APFS file system and recovering files that may no longer be active.

Module 11 – Cloud Services

• An investigation of data stored on iCloud, OneDrive, and Google Drive.

Module 12 – Cumulative Review

• Practicing the techniques and analyzing the artifacts discussed throughout this course.