Mac & IOS Forensic Analysis & Incident Response Training

What You Will Learn

Digital forensic and incident response investigators have traditionally dealt with Windows machines, but what if they find themselves in front of a new Apple Mac or iDevice? The increasing popularity of Apple devices can be seen everywhere, from coffee shops to corporate boardrooms. Dealing with these devices as an investigator is no longer a niche skill - every analyst must have the core skills necessary to investigate the Apple devices they encounter.

The constantly updated FOR518: Mac and iOS Forensic Analysis and Incident Response course provides the techniques and skills necessary to take on any Mac or iOS case without hesitation. The intense hands-on forensic analysis and incident response skills taught in the course will enable analysts to broaden their capabilities and gain the confidence and knowledge to comfortably analyze any Mac or iOS device. In addition to traditional investigations, the course presents intrusion and incident response scenarios to help analysts learn ways to identify and hunt down attackers that have compromised Apple devices.

Forensicate Differently!

FOR518: Mac and iOS Forensic Analysis and Incident Response will teach you:

Mac and iOS Fundamentals: How to analyze and parse the Apple File System (APFS+) by hand and recognize the specific domains of the logical file system and Mac-specific file types.
User & Device Activity: How to understand, profile, and conduct advanced pattern-of-life on users and they devices through their data files and preference configurations.
Advanced Intrusion Analysis and Correlation: How to determine how a system has been used or compromised by using the system and user data files in correlation with system log files.
Apple Technologies: How to understand and analyze many Mac and iOS-specific technologies, including Time Machine, Spotlight, iCloud, Document Versions, FileVault, Continuity, and FaceTime.

FOR518: Mac and iOS Forensic Analysis and Incident Response aims to train a well-rounded investigator by diving deep into forensic and intrusion analysis of Mac and iOS. The course focuses on topics such as the APFS file system, Mac-specific data files, tracking of user activity, system configuration, analysis and correlation of Mac logs, Mac applications, and Mac-exclusive technologies. A computer forensic analyst who completes this course will have the skills needed to take on a Mac or iOS forensics case.

FOR518 Will Prepare You To

Parse the HFS+ file system by hand, using only a cheat sheet and a hex editor
Understand the APFS file system and its significance
Determine the importance of each file system domain
Conduct temporal analysis of a system by correlating data files and log analysis
Profile how individuals used the system, including how often they used the system, what applications they frequented, and their personal system preferences
Identify remote or local data backups, disk images, or other attached devices
Find encrypted containers and FileVault volumes, understand keychain data, and crack Mac passwords
Analyze and understand Mac metadata and their importance in the Spotlight database, Time Machine, and Extended Attributes
Develop a thorough knowledge of the Safari Web Browser and Apple Mail applications
Identify communication with other users and systems though iChat, Messages, FaceTime, Remote Login, Screen Sharing, and AirDrop
Conduct an intrusion analysis of a Mac for signs of compromise or malware infection
Acquire and analyze memory from Mac systems
Acquire iOS and analyze devices in-depth

Course Topics

In-Depth HFS+ File System Examination and an Introduction to APFS
File System Timeline Analysis
Advanced Computer Forensics Methodology
Mac-Specific Acquisition and Incident Response Collection
Mac Memory Acquisition and Analysis
File System Data Analysis
Metadata Analysis
Recovery of Key Mac Files
Volume and Disk Image Analysis
Analysis of Mac Technologies, including Time Machine, Spotlight, and FileVault
Advanced Log Analysis and Correlation
iDevice Analysis and iOS Artifacts

What You Will Receive

90-Day trial for BlackBag Technologies BlackLight Forensic Analysis Software
Course Downloadable package loaded with case examples, tools, and documentation
MP3 audio files of the complete course lecture

SANS Video

Syllabus (36 CPEs)

Download PDF

Overview
This section introduces the student to Mac and iOS essentials such as acquisition, timestamps, logical file system, and disk structure. Acquisition fundamentals are the same with Mac and iOS devices, but there are a few tips and tricks that can be used to successfully and easily collect Mac and iOS systems for analysis. Students comfortable with Windows forensic analysis can easily learn the slight differences on a Mac system - the data are the same, only the format differs.
Exercises
- Lab Setup
- BlackLight and Image Mounting
- Exploring iOS Acquisitions
- Disks and Partitions
Topics
- Apple Essentials
- Mac Essentials and Acquisition
- iOS Essentials and Acquisition
- Disks and Partitions
Overview
The building blocks of Mac and iOS forensics start with a thorough understanding of the HFS+. Utilizing a hex editor, students will learn the basic principles of the primary file system implemented on MacOS systems. Students will then use that information to look at a variety of great artifacts that use the file system and that are different from other operating systems students have seen in the past. Rounding out the day, students will review Mac and iOS triage data.
Exercises
- HFS+
- File System Fun!
- Mac and iOS Triage
Topics
- File Systems
- Extended Attributes
- File System Events Store Database
- Spotlight
- Mac and iOS Triage
- Most Recently Used (MRUs)
Overview
This section contains a wide array of information that can be used to profile and understand how individuals use their computers. The logical Mac file system is made up of four domains: User, Local, System, and Network. The User Domain contains most of the user-related items of forensic interest. This domain consists of user preferences and configurations.
The Local and System Domains contain system-specific information such as application installation, system settings and preferences, and system logs. This section details basic system information, GUI preferences, and system application data. A basic analysis of system logs can provide a good understanding of how a system was used or abused. The Network domain is more ethereal and we can find this in many places throughout the course as well as in the logs.
Timeline analysis tells the story of how the system was used. Each entry in a log file has a specific meaning and may be able to tell how the user interacted with the computer. The log entries can be correlated with other data found on the system to create an in-depth timeline that can be used to solve cases quickly and efficiently. Analysis tools and techniques will be used to correlate the data and help the student put the story back together in a coherent and meaningful way.
Exercises
- User Data and System Configuration
- Log Parsing and Analysis
- Timeline Analysis and Data Correlation
Topics
- User Data and System Configuration
- Log Parsing and Analysis
- Timeline Analysis and Data Correlation
Overview
In addition to all the configuration and preference information found in the User Domain, the user can interact with a variety of native Apple applications, including the Internet, email, communication, photos, locational data, and others. These data can provide analysts with the who, what, where, why, and how for any investigation.
This section will explore the various databases and other files where data are being stored. The student will be able to parse this information by hand without the help of a commercial tool parser.
Exercises
- Safari and Mail
- Applications - Part I
- Applications - Part II
Topics
- Application Permissions
- Native Application Fundamentals
- Safari Browser
- Apple Mail
- Communication
- Calendar and Reminders
- Contacts
- Notes
- Apple Pay, Wallet, Passes
- Photos
- Maps
- Location Data
- Apple Watch
- Third-Party Apps
Overview
Mac systems implement some technologies that are available only to those with Mac and iOS devices. These include data backup with Time Machine, Document Versions, and iCloud, as well as disk encryption with FileVault. Other advanced topics include data hidden in encrypted containers, live response, Mac intrusion and malware analysis, and Mac memory analysis.
Exercises
- Time Machine and Document Versions
- Malware and Live Response
- Memory Analysis, Password Cracking, and Encrypted Containers
Topics
- Time Machine
- Document Versions
- iCloud
- Malware and Intrusion Analysis
- Live Response
- Memory Acquisitions and Analysis
- Password Cracking and Encrypted Containers
Overview
In this final course section, students will put their new Mac forensic skills to the test by running through a real-life scenario with team members.
Topics:
- In-Depth File System Examination
- File System Timeline Analysis
- Advanced Computer Forensics Methodology
- Mac Memory Analysis
- File System Data Analysis
- Metadata Analysis
- Recovering Key Mac Files
- Volume and Disk Image Analysis
- Analysis of Mac Technologies including Time Machine, Spotlight, and FileVault
- Advanced Log Analysis and Correlation
- iDevice Analysis and iOS Artifacts

Prerequisites

Working knowledge of forensics and the Unix command line is very useful! You can familiarize yourself with the Unix command line with these tutorials:

https://www.learnenough.com/command-line-tutorial

Laptop Requirements

Important! Bring your own system configured according to these instructions!

**************************IMPORTANT NOTE: MAC HARDWARE IS REQUIRED*************************************

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you follow the pre-class Mac System Setup Guide for your Mac. The guide is available at http://sans.org/security-resources/FOR518-laptop-setup-guide-v2.pdf. It is crucial that you read and follow the instructions in this pre-class Mac system setup guide before attending class the first day. The guide is a detailed step-by-step walk-through of a variety of downloads and configuration steps needed to prep your system for an in-depth and exciting week of Mac and iOS forensics. Please follow all of the steps correctly, otherwise your enjoyment of the class could be impacted. We recommend setting up your system at home, as hotel Internet might not be adequate to finalize the setup before class. Please do not wait until the night before class to go through the setup guide.

A properly configured Mac system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

MANDATORY FOR518 SYSTEM HARDWARE AND SOFTWARE REQUIREMENTS:

Apple Mac laptop with the following minimum configuration:
MacOS 10.13 (or newer)
CPU: Intel Core i5/i7 Series (a high-end Intel 2.8Ghz+ Core 2 Duo may also suffice)
Wireless 802.11 capability
8GB RAM or more is recommended
At least 250 gigabytes of free space on your system hard drive or on an external hard drive.
USB 2.0 port(s) or higher (Please bring your USB-C to USB-A adapters for the new Macs!)
Students should have the capability to have Local Administrator Access within their host operating system. Some monitoring and AV software may interfere with some exercises, so please be able to turn these off when needed.
IMPORTANT NOTE: MAC HARDWARE IS REQUIRED

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

"This course is designed to enable an analyst comfortable in Windows-based forensics to perform just as well on a Mac. The Mac and iOS market share is ever-increasing, and the Apple is now a popular platform for many companies and government entities. I believe a well-rounded forensic analyst is an extremely well-prepared and employable individual in a Windows forensics world. Windows analysis is the base education in the competitive field of digital forensics, but any additional skills you can acquire can set you apart from the crowd, whether it is Mac, mobile, memory, or malware analysis.

Mac and iOS forensics is truly a passion of mine that I genuinely want to share with the forensics community. While you may not work on a Mac or iOS investigation every day, the tools and techniques you learn in this course will help you with other investigations including Windows, Linux, and mobile." - Sarah Edwards

"FOR518 is a great course for forensics people and organizations that use Mac within their environments, and the labs were really engaging. Sarah is an expert in this field and a great instructor, and she's really responsive to our comments and questions." - Ali Memarzia, Google

Ways to Learn

OnDemand

Study and prepare for GIAC Certification with four months of online access to SANS OnDemand courses. Includes labs and exercises, and SME support.

Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

Who Should Attend FOR518?

Experienced Digital Forensic Analysts who want to consolidate and expand their understanding of file system forensics and advanced Mac analysis.
Law Enforcement Officers, Federal Agents, and Detectives who want to master advanced computer forensics and expand their investigative skill set.
Media Exploitation Analysts who need to know where to find the critical data they need from a Mac system.
Incident Response Team Members who are responding to complex security incidents/intrusions from sophisticated adversaries and need to know what to do when examining a compromised system.
Information Security Professionals who want to become knowledgeable about MacOS and iOS system internals.
SANS FOR500, FOR508, FOR526, FOR610, and FOR585 Alumni looking to round out their forensic skills.

"Within the first two days or training, I had enough knowledge to go back to work and solve two outstanding issues." - Beau G, Information Systems Solutions

See prerequisites

Reviews

It was very interesting to learn that certain 'forensic' tools could report data as being encrypted even though one could still get other data.

Gary Titus

Stroz Friedberg LLC

Really excellent course. Fantastic resource in the classroom material. Forensic challenge the last day was very fun.

This is the most comprehensive Mac class I've taken.

Daniel M.

US Federal Agency

FOR518: Mac and iOS Forensic Analysis and Incident Response

Course Authors:

Sarah Edwards

What You Will Learn

Syllabus (36 CPEs)

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Exercises

Topics

Overview

Prerequisites

Laptop Requirements

Author Statement

Ways to Learn

Who Should Attend FOR518?

Reviews

Find ways to take this course