Talk With an Expert

FOR518: Mac and iOS Forensic Analysis and Incident Response

FOR518Digital Forensics and Incident Response
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course authored by:
Sarah Edwards
Sarah Edwards
FOR518: Mac and iOS Forensic Analysis and Incident Response
Course authored by:
Sarah Edwards
Sarah Edwards
  • GIAC iOS and macOS Examiner (GIME)
  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 23 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Conduct detailed, in-depth analysis on raw data from Mac and iOS cases. Gain confidence in your forensic analysis and incident response skills with hands-on labs.

Course Overview

FOR518 is the first non-vendor-based Mac and iOS incident response and forensics course that focuses students on the raw data, in-depth detailed analysis, and how to get the most out of their Mac and iOS cases. The intense hands-on forensic analysis and incident response skills taught in the course will enable analysts to broaden their capabilities and gain the confidence and knowledge to comfortably analyze any Mac or iOS device. The course includes 23 hands-on labs.

What You’ll Learn

  • Understand macOS and iOS file systems and data layout
  • Explore cross-device Apple ecosystem for investigations (AirTags, VisionPro, Apple Watch, HomeKit)
  • Analyze usage patterns, app preferences, and personal settings
  • Correlate data and logs for timeline analysis
  • Investigate encrypted containers, FileVault, keychain, and Mac password cracking
  • Identify backups, disk images, connected devices, and communications (Messages, FaceTime, SSH, AirDrop)
  • Examine macOS metadata and app data (Spotlight, Time Machine, Safari, Mail)

Business Takeaways

  • Empower employees to investigate various crimes such as computer misuse, malicious device intrusions, corporate espionage, insider threats, and fraud.
  • Learn how various Apple data is stored and how to analyze using tool agnostic methods without the requirement for expensive commercial forensic tools.
  • Identify different forensic artifacts and nuances between the Apple platforms (macOS and iOS).
  • Understand the wealth of user related information that can show how a device was used or abused.
  • Learn the differences of performing forensics and security assessments when Apple devices are involved versus other industry-standard operating systems.

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in FOR518: Mac and iOS Forensic Analysis and Incident Response.

Section 1Mac and iOS Essentials

This section introduces the student to Mac and iOS essentials such as acquisition, timestamps, logical file system, and disk structure. Acquisition fundamentals are the same with Mac and iOS devices, but there are a few tips and tricks that can be used to successfully collect Mac and iOS systems for analysis.

Topics covered

  • Apple Essentials, Device Security, Disks, and Volumes
  • macOS Acquisition Tools and Methods
  • iOS Acquisition Tools and Methods
  • Data Organization, Triage, and iCloud
  • Forensic Testing

Labs

  • Course Lab Setup
  • Disks and Volumes
  • Mount and Review Acquisitions
  • Triage
  • Forensic Testing

Section 2Log Analysis, User Data, and System Configuration

This section explores how system settings, configurations, and log analysis on macOS and iOS devices can reveal user activity and support forensic investigations.

Topics covered

  • Log Analysis
  • User Account
  • Network Device Configuration

Labs

  • Parsing System Logs
  • User Artifacts and Interface
  • Volumes, Printing, and System State
  • Network and Bluetooth

Section 3File Systems and Related Artifacts

This section provides an in-depth exploration of the Apple File System (APFS), examining its unique structures, artifacts, and forensic value through hands-on analysis and comparison with other file systems.

Topics covered

  • APFS Overview
  • Extended Attributes
  • Practical Queries
  • Document Versions Metadata
  • File System Events Store Database

Labs

  • Parsing APFS (Bonus)
  • Disk and Volume Artifacts
  • Extended Attributes
  • Spotlight
  • Document Versions and FSEvents

Section 4Application Data Analysis

This section delves into user data generated by native Apple applications, teaching students how to manually analyze key artifacts like emails, messages, photos, and location data to support forensic investigations.

Topics covered

  • Mach-O ExecutablesBrowser History and Cache
  • Messaging and Calling files
  • Notes, Photos, and Maps Analysis

Labs

  • Application Fundamentals
  • Safari and Wallet
  • Mail and Communication
  • Notes, Photos, Maps

Section 5Advanced Analysis Topics

This section covers advanced Apple-specific forensic topics, including pattern of life analysis, password cracking, malware detection, and various proprietary technologies like FindMy, Time Machine, and AirTags to support comprehensive investigations.

Topics covered

  • Pattern of Life
  • Cracking Passwords
  • Malware Examples and Firewall Settings
  • Other Apple Technology

Labs

  • Pattern of Life
  • Password Cracking
  • Malware and Live Response
  • One More Thing

Section 6Mac Forensics & Incident Response Challenge

In this final course section, students will put their new All-Things-Apple forensic skills to the test by running through a real-life scenario.

Topics covered

  • In-Depth File System Examination and Analysis
  • Advanced Computer Forensics Methodology
  • Metadata and Database Analysis
  • Volume and Disk Image Analysis
  • Analysis of Apple-specific Technologies

Things You Need To Know

Relevant Job Roles

Malware Analyst

Digital Forensics and Incident Response

Malware analysts face attackers’ capabilities head-on, ensuring the fastest and most effective response to and containment of a cyber-attack. You look deep inside malicious software to understand the nature of the threat – how it got in, what flaw it exploited, and what it has done, is trying to do, or has the potential to achieve.

Explore learning path

Cyber Incident Responder

European Cybersecurity Skills Framework

Monitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.

Explore learning path

Insider Threat Analysis

NICE: Protection and Defense

Responsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.

Explore learning path

Digital Forensics (OPM 212)

NICE: Protection and Defense

Responsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.

Explore learning path

Military Operations / Law Enforcement Agents

Digital Forensics and Incident Response

Execute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.

Explore learning path

Media Exploitation Analyst

Digital Forensics and Incident Response

This expert applies digital forensic skills to a plethora of media that encompasses an investigation. If investigating computer crime excites you, and you want to make a career of recovering file systems that have been hacked, damaged or used in a crime, this may be the path for you. In this position, you will assist in the forensic examinations of computers and media from a variety of sources, in view of developing forensically sound evidence.

Explore learning path

Intrusion Detection/SOC Analysts

Digital Forensics and Incident Response

Analyze network and endpoint data to swiftly detect threats, conduct forensic investigations, and proactively hunt adversaries across diverse platforms including cloud, mobile, and enterprise systems.

Explore learning path

Incident Response Team Member

Digital Forensics and Incident Response

This dynamic and fast-paced role involves identifying, mitigating, and eradicating attackers while their operations are still unfolding.

Explore learning path

Intrusion Detection / (SOC) Analyst

Cyber Defense

Security Operations Center (SOC) analysts work alongside security engineers and SOC managers to implement prevention, detection, monitoring, and active response. Working closely with incident response teams, a SOC analyst will address security issues when detected, quickly and effectively. With an eye for detail and anomalies, these analysts see things most others miss.

Explore learning path

Cybersecurity Analyst/Engineer

Cyber Defense

As this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.

Explore learning path

Digital Evidence Analysis (OPM 211)

NICE: Investigation

Responsible for identifying, collecting, examining, and preserving digital evidence using controlled and documented analytical and investigative techniques.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us
Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Sarah Edwards
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Tokyo, JP & Virtual (live)

    Instructed by Lee Whitfield
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Prague, CZ & Virtual (live)

    Instructed by Sarah Edwards
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by Lee Whitfield
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Coral Gables, FL, US & Virtual (live)

    Instructed by Sarah Edwards
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    La Jolla, CA, US & Virtual (live)

    Instructed by Sarah Edwards
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Orlando, FL, US & Virtual (live)

    Instructed by Sarah Edwards
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
Showing 7 of 7

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources