macOS Lockdown Mode: A DFIR Odyssey

With increasing cyber threats, Apple introduced a robust security feature known as "Lockdown Mode." This session delves into the intricacies of Lockdown Mode, exploring its purpose and evolution. Initially designed to shield users from potential cyber threats, Lockdown Mode introduces a new layer of security by restricting certain functionalities on the Apple OS like iOS, macOS, watchOS, and iPadOS. Participants will gain insights into the operational changes when Lockdown Mode is activated on macOS, including what functionalities are restricted. Due to restrictions imposed on macOS, this raises intriguing questions from a DFIR perspective and how it changes traditional digital forensics. In this session, DFIR examiners will uncover the subtle yet significant artifacts generated, system log modifications, detection of LDM, and the implications for digital forensics and incident response (DFIR). We will delve into how this mode impacts user accounts and accessibility, altering the dynamics between security and user experience. Additionally, participants will explore the potential challenges and solutions for navigating these changes effectively. The session aims to equip digital forensics professionals with essential insights and skills to adapt to the evolving cybersecurity landscape. Key takeaways: 1. Lockdown Mode Restrictions: LDM imposes security measures to reduce the attack surface of the device. Attendees will gain insight into what restrictions are actually implemented. 2. Lockdown Mode Forensic Arefacts: When LDM is enabled, it generates specific forensic artefacts including logs which are crucial during forensic investigations. Demonstration of these artefacts is done for DFIR examiner awareness & its impact during investigation. 3. DFIR Implications of Lockdown Mode: LDM alters traditional DFIR techniques by restricting access to data and macOS functionalities. The attendees will gain a comprehensive insight into how to deal with LDM in Incident Response and Post-mortem Forensics.