FOR518: Mac and iOS Forensic Analysis and Incident Response Digital forensic investigators have traditionally dealt with Windows machines, but what if they find themselves in front of a new Apple Mac or iDevice? The increasing popularity of Apple devices can be seen everywhere, from coffee shops to corporate boardrooms, yet most investigators are familiar with Windows-only machines. This consistently updated FOR518 course provides the techniques and skills necessary to take on any Mac or iOS case without hesitation. The intense hands-on forensic analysis and incident response skills taught in the course will enable analysts to broaden their capabilities and gain the confidence and knowledge to comfortably analyze any Mac or iOS device. In addition to traditional investigations, the course presents intrusion and incident response scenarios to help analysts learn ways to identify and hunt down attackers that have compromised Apple devices. FORENSICATE DIFFERENTLY! FOR518: Mac and iOS Forensic Analysis and Incident Response will teach you: • Mac and iOS Fundamentals: How to analyze and parse the Hierarchical File System (HFS+) and Apple File System (APFS) by hand and recognize the specific domains of the logical file system and Mac-specific file types. • User and Device Activity: How to understand, profile, and conduct advanced pattern-of-life on users and they devices through their data files and preference configurations. • Advanced Intrusion Analysis and Correlation: How to determine how a system has been used or compromised by using the system and user data files in correlation with system log files. • Apple Technologies: How to understand and analyze many Mac and iOS-specific technologies, including Time Machine, Spotlight, iCloud, Document Versions, FileVault, Continuity, and FaceTime. FOR518: Mac and iOS Forensic Analysis and Incident Response aims to train a well-rounded investigator by diving deep into forensic and intrusion analysis of Mac and iOS. The course focuses on topics such as the HFS+ and APFS file systems, Mac-specific data files, tracking of user activity, system configuration, analysis and correlation of Mac logs, Mac applications, and Mac- exclusive technologies. A computer forensic analyst who completes this course will have the skills needed to take on a Mac or iOS forensics case. You Will Be Able To • Parse the HFS+ file system by hand, using only a cheat sheet and a hex editor • Determine the importance of each file system domain • Conduct temporal analysis of a system by correlating data files and log analysis • Profile individuals’ usage of the system, including how often they used it, what applications they frequented, and their personal system preferences • Determine remote or local data backups, disk images, or other attached devices • Find encrypted containers and FileVault volumes, understand keychain data, and crack Mac passwords • Analyze and understand Mac metadata and their importance in the Spotlight database, Time Machine, and Extended Attributes • Develop a thorough knowledge of the Safari Web Browser and Apple Mail applications • Identify communication with other users and systems through iChat, Messages, FaceTime, Remote Login, Screen Sharing, and AirDrop • Conduct an intrusion analysis of a Mac for signs of compromise or malware infection • Acquire and analyze memory from Mac systems • Acquire iOS and analyze devices in-depth 6 Day Program 36 CPEs Laptop Required “ It was very interesting to learn that certain ‘forensic’ tools could report data as being encrypted even though one could still get other data.” — Gary Titus; Stroz Friedberg LLC “ Within the first two days or training, I had enough knowledge to go back to work and solve two outstanding issues.” — Beau G., Information Systems Solutions sans.org/for518 • Watch a preview of this course • Discover how to take this course: Online, In-Person IMPORTANT NOTE: MAC HARDWARE REQUIRED GIME iOS and macOS Examiner giac.org/gime GIAC Cloud Forensics Responder The GIME certification validates a practitioner’s knowledge of Mac and iOS computer forensic analysis and incident response skills. GIME-certified professionals are well-versed in traditional investigations as well as intrusion analysis scenarios for compromised Apple devices. • Mac and iOS File Systems, System Triage, User and Application Data Analysis • Mac and iOS Incident Response, Malware, and Intrusion Analysis • Mac and iOS Memory Forensics and Timeline Analysis GIME iOS and macOS Examiner giac.org/gime