Cybercop 325 - Macintosh Forensic Analysis (Mar 2018)

Tuesday Mar 13, 2018 - 08:00am EDT to Friday Mar 16, 2018 - 05:00pm EDT
Event Description: 

The "Cybercop (CC) 325 - Macintosh Forensic Analysis" (MFA) course provides the fundamental knowledge and skills necessary to identify and collect volatile data, acquire forensically sound images of Apple Macintosh computers, and perform forensic analysis of macOS operating system and application artifacts. Students gain hands-on experience scripting and using automated tools to conduct a simulated live triage. Students will use multiple methods to acquire forensically sound images of Apple Macintosh computers and identify unique challenges that this task may present. Students will also learn how the macOS's default file system stores data, what happens when files are sent to the macOS Trash, where operating system and application artifacts are stored, and how they can be analyzed. The forensic artifacts covered include password recovery, recently opened files and applications, encryption handling, Mail, Safari, Messages, FaceTime, Photos, Chrome, and Firefox.

Course structure:

  • Performing live triage. Learn how to preserve data from systems in different states, use commands for collecting non-persistent data, and perform basic shell scripting.
  • Macintosh imaging. Understand manual and automated imaging methods and how to identify imaging challenges.
  • Processing basics. Explore mounting images, viewing hidden files, and the standard OS X directory structure.
  • Partitioning schemes. Learn about the Apple Partition Map, GUID Partition Table, and Master Boot Record.
  • Hierarchical File System+ (HFS+). Gain experience with the structure of an HFS+ formatted storage volume and how files and directories are tracked and saved.
  • Operating system artifacts. Understand artifacts such as trash, login passwords, keychains, system logs, OS X-related property lists, and FileVault.
  • Application artifacts. Use Mail, Contacts, Safari, Calendar, Reminders, Notes, Messages, FaceTime, Photos, Chrome, FireFox, and Skype.

MFA is a four-day classroom course.


  • "Cyber Investigations 106 – Apple Introduction" online course.
  • "CC 201 – Digital Evidence Examination and Processing" classroom course.
  • Equivalent training and/or experience may substitute for the prerequisite.
2010 West Encanto Boulevard Mail Drop 3900
Phoenix, AZ 85009
United States
Event Cost Information
Free to Law Enforcement
Space Available: 
30 seats
Organizer Information
Event POC: 
Glenda Humphrey
Event POC Email: 
Event POC Phone: