ax350 cil – macos examinations



This course is an expert-level four-day training course, designed for participants who are somewhat familiar with the principles of digital forensics and who are seeking to expand their knowledge base on macOS and the forensic analysis of devices using the APFS file system and AXIOM. Examiners will investigate a scenario dealing with a misconfigured webserver that allowed hackers to exploit vulnerabilities, gain access to the network to perform nefarious activity and steal intellectual property, and potentially customer data as well.


Duration: 4 days

Module 1 – Introduction and Course Overview

Module 2 – macOS Overview

• Information on the macOS operating system and APFS file system
• Security of macOS devices including the T2 chips, SIP, and other security protocols
• Key operating system artifacts for macOS (e.g. Finder, File System Events, Sidebar items, Trash Items, Installed Applications)

Module 3 – Starting our Examination

• Encryption issues such as FileVault2
• Methods to brute force FileVault2 using Passware

Module 4 – Log Files

• macOS log files: the unifed logs, configuration files, file/folder permissions, daily logs, USB connection history, and other artifacts to track user access of information.

Module 5 – Knowledge

• The KnowledgeC database
• Tools to extract additional information behind the KnowledgeC.db, e.g.:

Application Usage
Application Activities
Safari Browser History
Device Power Status

Module 6 – Internet Artifacts

• Examinations of browser history artifacts from Safari, Chrome, and Firefox.

Module 7 – User Accounts

• Artifacts: contacts, address books, saved Apple accounts, keychain information, installed applications, and logon/logoff times.

Module 8 – Email

• Recovering artifacts and attachments from data inside default mail application of macOS..

Module 9 – Mac Desktop

• Items stored in the mac Dock, the Menu Bar applications, recently used items, and possibilities of using thumbnails in an investigation.

Module 10 – Time Machine and Snapshots

• The Time Machine and Snapshot functionalities of macOS and the APFS file system and recovering files that may no longer be active.

Module 11 – Cloud Services

• An investigation of data stored on iCloud, OneDrive, and Google Drive.

Module 12 – Cumulative Review

• Practicing the techniques and analyzing the artifacts discussed throughout this course.


  • You will have the knowledge and skills they need to acquire forensic images from computers, tablets, smartphones, and cloud evidence.You will be able to perform detailed investigation of macOS operating system.
  • You will know how to recover artifacts from different sources.
  • You will Use Magnet AXIOM Examine to explore the evidence in greater depth, simplifying analysis activities by intuitively linking facts and data.You will known how to get evidences that may be no longer active.
  • You will learn how to make extraction of data stored on cloud services.

what could you

  • Practice and theoretical training
  • Training materials
  • Knowledge about working with macOS devices, shared by forensic experts in the field
  • A certificate of completion

who is the
course for?

  • Service employees, policemen and persons with tasks related to computer forensics within the scope of their duties.
  • Forensic analysts.
  • Court experts, people responsible in corporations for responding to IT incidents, IT security specialists.
  • Employees of IT security and SOCs departments in companies.
Dariusz Hajka<br />
Key Account Manager
Do you have any questions? Contact us!
Ask for individual training for your organization!
Dariusz Hajka
Key Account Manager