Cybercop 325 - Macintosh Forensic Analysis (Mar 2018)

    Event Type: 
    Training Delivery - Classroom Training/Onsite
    Tuesday Mar 13, 2018 - 08:00am EDT to Friday Mar 16, 2018 - 05:00pm EDT
    Event Description: 

    The "Cybercop (CC) 325 - Macintosh Forensic Analysis" (MFA) course provides the fundamental knowledge and skills necessary to identify and collect volatile data, acquire forensically sound images of Apple Macintosh computers, and perform forensic analysis of macOS operating system and application artifacts. Students gain hands-on experience scripting and using automated tools to conduct a simulated live triage. Students will use multiple methods to acquire forensically sound images of Apple Macintosh computers and identify unique challenges that this task may present. Students will also learn how the macOS's default file system stores data, what happens when files are sent to the macOS Trash, where operating system and application artifacts are stored, and how they can be analyzed. The forensic artifacts covered include password recovery, recently opened files and applications, encryption handling, Mail, Safari, Messages, FaceTime, Photos, Chrome, and Firefox.

    Course structure:

    • Performing live triage. Learn how to preserve data from systems in different states, use commands for collecting non-persistent data, and perform basic shell scripting.
    • Macintosh imaging. Understand manual and automated imaging methods and how to identify imaging challenges.
    • Processing basics. Explore mounting images, viewing hidden files, and the standard OS X directory structure.
    • Partitioning schemes. Learn about the Apple Partition Map, GUID Partition Table, and Master Boot Record.
    • Hierarchical File System+ (HFS+). Gain experience with the structure of an HFS+ formatted storage volume and how files and directories are tracked and saved.
    • Operating system artifacts. Understand artifacts such as trash, login passwords, keychains, system logs, OS X-related property lists, and FileVault.
    • Application artifacts. Use Mail, Contacts, Safari, Calendar, Reminders, Notes, Messages, FaceTime, Photos, Chrome, FireFox, and Skype.

    MFA is a four-day classroom course.

    Prerequisites:

    • "Cyber Investigations 106 – Apple Introduction" online course.
    • "CC 201 – Digital Evidence Examination and Processing" classroom course.
    • Equivalent training and/or experience may substitute for the prerequisite.
    Location: 
    2010 West Encanto Boulevard Mail Drop 3900
    Phoenix, AZ 85009
    United States
    See map: Google Maps
    Event URL: 
    Cybercop 325 - Macintosh Forensic Analysis
    Event Cost Information
    AmountDescription
    $0.00
    Free to Law Enforcement
    Space Available: 
    30 seats
    Organizer Information
    Provider: 
    National White Collar Crime Center
    Event POC: 
    Glenda Humphrey
    Event POC Email: 
    ghumphrey@nw3c.org
    Event POC Phone: 
    8776287674
    Category: 
    Training
    Program Areas: 
    Justice Information Sharing
    Law Enforcement