SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
FOR518: Mac and iOS Forensic Analysis and Incident Response
FOR518Digital Forensics and Incident Response
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course created by:
Sarah Edwards
Course created by:Sarah Edwards
- GIAC iOS and macOS Examiner (GIME)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- 23 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Conduct detailed, in-depth analysis on raw data from Mac and iOS cases. Gain confidence in your forensic analysis and incident response skills with hands-on labs.
Featured Quote
FOR518 is a great course for forensics people and organizations that use Mac within their environments, and the labs were really engaging. Sarah is an expert in this field and a great instructor, and she's really responsive to our comments and questions.
Course Overview
FOR518 is the first non-vendor-based Mac and iOS incident response and forensics course that focuses students on the raw data, in-depth detailed analysis, and how to get the most out of their Mac and iOS cases. The intense hands-on forensic analysis and incident response skills taught in the course will enable analysts to broaden their capabilities and gain the confidence and knowledge to comfortably analyze any Mac or iOS device. The course includes 23 hands-on labs.
What You’ll Learn
- Understand macOS and iOS file systems and data layout
- Explore cross-device Apple ecosystem for investigations (AirTags, VisionPro, Apple Watch, HomeKit)
- Analyze usage patterns, app preferences, and personal settings
- Correlate data and logs for timeline analysis
- Investigate encrypted containers, FileVault, keychain, and Mac password cracking
- Identify backups, disk images, connected devices, and communications (Messages, FaceTime, SSH, AirDrop)
- Examine macOS metadata and app data (Spotlight, Time Machine, Safari, Mail)
Business Takeaways
- Empower employees to investigate various crimes such as computer misuse, malicious device intrusions, corporate espionage, insider threats, and fraud.
- Learn how various Apple data is stored and how to analyze using tool agnostic methods without the requirement for expensive commercial forensic tools.
- Identify different forensic artifacts and nuances between the Apple platforms (macOS and iOS).
- Understand the wealth of user related information that can show how a device was used or abused.
- Learn the differences of performing forensics and security assessments when Apple devices are involved versus other industry-standard operating systems.
Meet Your Author
Sarah Edwards
Senior InstructorSarah Edwards is a pioneering force in Apple forensics, having revolutionized the field through the creation of APOLLO—an open-source tool that deciphers macOS and iOS pattern-of-life data.
Read more about Sarah EdwardsCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in FOR518: Mac and iOS Forensic Analysis and Incident Response.
Section 1Mac and iOS Essentials
This section introduces the student to Mac and iOS essentials such as acquisition, timestamps, logical file system, and disk structure. Acquisition fundamentals are the same with Mac and iOS devices, but there are a few tips and tricks that can be used to successfully collect Mac and iOS systems for analysis.
Topics covered
- Apple Essentials, Device Security, Disks, and Volumes
- macOS Acquisition Tools and Methods
- iOS Acquisition Tools and Methods
- Data Organization, Triage, and iCloud
- Forensic Testing
Labs
- Course Lab Setup
- Disks and Volumes
- Mount and Review Acquisitions
- Triage
- Forensic Testing
Section 2Log Analysis, User Data, and System Configuration
This section explores how system settings, configurations, and log analysis on macOS and iOS devices can reveal user activity and support forensic investigations.
Topics covered
- Log Analysis
- User Account
- Network Device Configuration
Labs
- Parsing System Logs
- User Artifacts and Interface
- Volumes, Printing, and System State
- Network and Bluetooth
Section 3File Systems and Related Artifacts
This section provides an in-depth exploration of the Apple File System (APFS), examining its unique structures, artifacts, and forensic value through hands-on analysis and comparison with other file systems.
Topics covered
- APFS Overview
- Extended Attributes
- Practical Queries
- Document Versions Metadata
- File System Events Store Database
Labs
- Parsing APFS (Bonus)
- Disk and Volume Artifacts
- Extended Attributes
- Spotlight
- Document Versions and FSEvents
Section 4Application Data Analysis
This section delves into user data generated by native Apple applications, teaching students how to manually analyze key artifacts like emails, messages, photos, and location data to support forensic investigations.
Topics covered
- Mach-O ExecutablesBrowser History and Cache
- Messaging and Calling files
- Notes, Photos, and Maps Analysis
Labs
- Application Fundamentals
- Safari and Wallet
- Mail and Communication
- Notes, Photos, Maps
Section 5Advanced Analysis Topics
This section covers advanced Apple-specific forensic topics, including pattern of life analysis, password cracking, malware detection, and various proprietary technologies like FindMy, Time Machine, and AirTags to support comprehensive investigations.
Topics covered
- Pattern of Life
- Cracking Passwords
- Malware Examples and Firewall Settings
- Other Apple Technology
Labs
- Pattern of Life
- Password Cracking
- Malware and Live Response
- One More Thing
Section 6Mac Forensics & Incident Response Challenge
In this final course section, students will put their new All-Things-Apple forensic skills to the test by running through a real-life scenario.
Topics covered
- In-Depth File System Examination and Analysis
- Advanced Computer Forensics Methodology
- Metadata and Database Analysis
- Volume and Disk Image Analysis
- Analysis of Apple-specific Technologies
Things You Need To Know
Relevant Job Roles
Digital Forensics Analyst
Digital Forensics and Incident ResponseThis expert applies digital forensic skills to a plethora of media that encompass an investigation. The practice of being a digital forensic examiner requires several skill sets, including evidence collection, computer, smartphone, cloud, and network forensics, and an investigative mindset. These experts analyze compromised systems or digital media involved in an investigation that can be used to determine what really happened. Digital media contain footprints that physical forensic data and the crime scene may not include.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Filter by:
Location & instructorDate & TimeCourse priceRegistration Options
- Location & instructor
Virtual (OnDemand)
Instructed by Sarah EdwardsDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesRegistration Options - Location & instructor
Tokyo, JP & Virtual (live)
Instructed by Lee WhitfieldDate & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxesRegistration Options - Location & instructor
Las Vegas, NV, US & Virtual (live)
Instructed by Lee WhitfieldDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Prague, CZ & Virtual (live)
Instructed by Sarah EdwardsDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxes - Location & instructor
Singapore, SG & Virtual (live)
Instructed by Lee WhitfieldDate & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxes - Location & instructor
Coral Gables, FL, US & Virtual (live)
Instructed by Sarah EdwardsDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
La Jolla, CA, US & Virtual (live)
Instructed by Sarah EdwardsDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Orlando, FL, US & Virtual (live)
Instructed by Sarah EdwardsDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
Showing 8 of 8
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 2It was very interesting to learn that certain 'forensic' tools could report data as being encrypted even though one could still get other data.
- Slide 2 of 2This is the most comprehensive Mac class I've taken.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources