This course is an expert-level four-day training course, designed for participants who are somewhat familiar with the principles of digital forensics and who are seeking to expand their knowledge base on macOS and the forensic analysis of devices using the APFS file system and AXIOM. Examiners will investigate a scenario dealing with a misconfigured web server that allowed hackers to exploit vulnerabilities and gain access to the network to perform a nefarious activity and steal intellectual property and potentially customer data as well.
Because AX350 is an expert-level course, it is strongly recommended that students first complete Magnet AXIOM Examinations (AX200). AX200 will provide a thorough understanding of AXIOM that will help students focus on the Macintosh based forensic artifacts and investigations in AX350. Click Here to find out more about AX200.
Hear directly from Christopher Vance, Manager of Curriculum Development at Magnet Forensics, about why you should take our Magnet AXIOM macOS Examinations (AX350) course, what you can expect when you take it, and what type of real-life experience he brings to the classroom.
MODULE 1: INTRODUCTION AND COURSE OVERVIEW
This module will introduce the course to students as well as cover the scenario that will be followed over the four-day training.
MODULE 2: MACOS OVERVIEW
This module will walk through information on the macOS operating system and APFS file system. Including changes to the security of macOS devices including the T2 chips, SIP, and other security protocols being used by Apple. Students will also discuss proper handling techniques for macOS devices.
Several key operating system artifacts for macOS will be covered including Finder, File System Events, Sidebar items, Trash Items, Installed Applications, and more.
MODULE 3: STARTING OUR EXAMINATION
In this module students will discuss encryption issues such as FileVault2 and methods that can be taken to brute force this technology using Passware.
MODULE 4:LOG FILES
This module will cover several macOS log files such as the unified logs, configuration files, file/folder permissions, daily logs, USB connection history, and other key logging artifacts to track user access of information.MODULE 5: KNO
Having access to precise and granular user and application usage can be extremely useful in a forensic investigation. The KnowledgeC database stores a wealth of information about the macOS usage as well as user activity. Several of the key things tracked in this database will be shown represented as artifacts such as:
Safari Browser History
Device Power Status
In addition to better understanding KnowledgeC, the powerlog database stored on macOS will be explored to better help examiners validate and understand tracking user behaviors.
MODULE 6: INTERNET ARTIFACTS
Several browser history artifacts from Safari, Chrome, and Firefox will be examined to assist in the investigation and collection of evidence in furtherance of the investigation being carried out by the students.
Students will also explore how to use valuable information populated by internet browsers into extended attributes of files.
MODULE 7: USER ACCOUNTS
Understanding the data specific to a user account can be key in an investigation. This module will cover Artifacts dealing with contacts, address books, saved apple accounts, keychain information, installed applications, and logon/logoff times.
MODULE 8: EMAIL
The default mail application (Mail.App) stores both email and calendar data inside macOS. This module will discuss how to recover artifacts and attachments from these stored files.
MODULE 9: MAC DESKTOP
The macOS Desktop stores several valuable artifacts around what a user has been accessing. This module will walk students through looking at the items stored in the mac Dock, the Menu Bar applications, recently used items, and the quick-look thumbnails and how they can be used in an investigation.
Examiners will also explore the AXIOM artifact Rebuilt Desktop – macOS to get a better visual representation of how these artifacts function to help determine user behaviors.
MODULE 10: TIME MACHINE AND SNAPSHOTS
Time Machine is a built-in backup methodology for macOS. In this module, students will cover the Time Machine and Snapshot functionalities of macOS and the APFS file system. This information will be valuable in trying to recover files that may no longer be active on the macOS system.
MODULE 11: CLOUD SERVICES
MacOS users typically have an Apple ID and with it, free iCloud storage. This cloud storage can prove important in an investigation as well as other cloud sources of data such as OneDrive and Google Drive; Understanding how macOS uses these services and what databases control the flow of data between the cloud service and the host computer is imperative to solving these types of investigations.
MODULE 12: CUMULATIVE REVIEW
A final practical will walk students through practicing the techniques and analyzing the artifacts discussed throughout this course.
Who Should Attend:
Participants who are unfamiliar (or somehow familiar) with the principles of digital forensics
AX200 or similar course is a must prior to this course
Field of Study:
Computer Software & Applications
Group Internet Based & Group Live