Training
Featured CourseView All Courses
Get a Free Hour of SANS Training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training, Courses, and Resources
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely.

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

MacOS Telemetry vs EDR Telemetry - Which is Better?

Download File
MacOS Telemetry vs EDR Telemetry - Which is Better? (PDF, 3.57MB)Last updated: 28 Sep, 2025
Presented by:
Fouad Animashaun
Fouad Animashaun

As macOS adoption grows in enterprise environments, threat actors are increasingly targeting these systems, leaving incident responders to adapt their investigative approaches. While Endpoint Detection and Response (EDR) solutions provide broad visibility, Apple’s Unified Logging System (AUL) often captures deeper, host-level telemetry that EDR tools miss. This session will compare EDR telemetry with macOS unified logs, demonstrating scenarios where unified logs answer key forensic questions that EDR cannot. Understand how to leverage AUL in investigations, use Private Data Logging, and work within log retention limitations. You will leave with actionable methods to enhance macOS incident response by tapping into this underutilized but powerful forensic data source.

SANS DFIR Europe Prague 2025

Presenter

Fouad Animashaun
Fouad Animashaun

Fouad Animashaun

Ayo Animashaun is a Security Engineer on Dropbox’s Detection and Response Team (DART), where he specializes in macOS forensics and malware analysis.

Read more about Fouad Animashaun

Related Resources

When the Threat Group Doesn’t Leave: Incident Response Under Fire

Summit PresentationDigital Forensics and Incident Response
  • 28 Sep 2025
  • Eran Laloof
  • SANS DFIR Europe Prague 2025

Enterprise Digital Forensics and Security with Open Tools: Automate Audits, Computer Forensics Investigations and Incident Response with AWX and Ansible

Summit PresentationDigital Forensics and Incident Response
  • 28 Sep 2025
  • Alessandro Fiorenzi
  • SANS DFIR Europe Prague 2025

Extracting the Unseen: Real-World RAM Acquisition and Analysis from Android Devices

Summit PresentationDigital Forensics and Incident Response
  • 28 Sep 2025
  • Alex Coley
  • SANS DFIR Europe Prague 2025

Mobile Device Hardening: A Forensic Comparison of Advanced Protection Programmes in IOS and Android

Summit PresentationDigital Forensics and Incident Response
  • 28 Sep 2025
  • Luca Cadonici
  • SANS DFIR Europe Prague 2025

Tool: 4n6pi - A Lightweight, Open Source, Forensic Disk Imager

Summit PresentationDigital Forensics and Incident Response
  • 28 Sep 2025
  • Egon Lampert
  • SANS DFIR Europe Prague 2025

Tool: The Only ‘Kanvas’ You Need When Spreadsheets Fail Your IR Case Management

Summit PresentationDigital Forensics and Incident Response
  • 28 Sep 2025
  • Jinto Antony
  • SANS DFIR Europe Prague 2025

Related Courses

  • Slide 1 of 15

    FOR589: Cybercrime Investigations

    Intermediate
    FOR589Digital Forensics and Incident Response
    FOR589: Cybercrime Intelligence
    • 5 Days (Instructor-Led)
    • 30 CPEs / 30 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 2 of 15

    FOR585: Smartphone Forensic Analysis In-Depth

    Essentials
    FOR585Digital Forensics and Incident Response
    FOR585: Smartphone Forensic Analysis In-Depth
    • GIAC Advanced Smartphone Forensics (GASF)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 22 Hands-On Labs

    View course detailsRegister
  • Slide 3 of 15

    FOR608: Enterprise-Class Incident Response & Threat Hunting

    Intermediate
    FOR608Digital Forensics and Incident Response
    FOR608: Enterprise-Class Incident Response & Threat Hunting
    • GIAC Enterprise Incident Responder (GEIR)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 4 of 15

    FOR518: Mac and iOS Forensic Analysis and Incident Response

    updatedIntermediate
    FOR518Digital Forensics and Incident Response
    FOR518: Mac and iOS Forensic Analysis and Incident Response
    • GIAC iOS and macOS Examiner (GIME)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 23 Hands-On Labs

    View course detailsRegister
  • Slide 5 of 15

    FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics

    updatedIntermediate
    FOR508Digital Forensics and Incident Response
    FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
    • GIAC Certified Forensic Analyst (GCFA)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 35 Hands-On Labs

    View course detailsRegister
  • Slide 6 of 15

    FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

    Advanced
    FOR610Digital Forensics and Incident Response
    FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
    • GIAC Reverse Engineering Malware (GREM)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 48 Hands-On Labs

    View course detailsRegister
  • Slide 7 of 15

    FOR578: Cyber Threat Intelligence

    Intermediate
    FOR578Digital Forensics and Incident Response
    FOR578: Cyber Threat Intelligence
    • GIAC Cyber Threat Intelligence (GCTI)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 8 of 15

    FOR509: Enterprise Cloud Forensics and Incident Response

    Major UpdatesIntermediate
    FOR509Digital Forensics and Incident Response
    FOR509: Enterprise Cloud Forensics and Incident Response
    • GIAC Cloud Forensics Responder (GCFR)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 23 Hands-On Labs

    View course detailsRegister
  • Slide 9 of 15

    FOR528: Ransomware and Cyber Extortion

    Intermediate
    FOR528Digital Forensics and Incident Response
    FOR528: Ransomware and Cyber Extortion
    • 4 Days (Instructor-Led)
    • 24 CPEs / 24 Hours (Self-Paced)
    • Labs: 13 Hands-On Labs

    View course detailsRegister
  • Slide 10 of 15

    FOR577: LINUX Incident Response and Threat Hunting

    Intermediate
    FOR577Digital Forensics and Incident Response
    FOR577: LINUX Incident Response and Threat Hunting
    • GIAC Linux Incident Responder (GLIR)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 23 Hands-On Labs

    View course detailsRegister
  • Slide 11 of 15

    FOR710: Reverse-Engineering Malware: Advanced Code Analysis

    Advanced
    FOR710Digital Forensics and Incident Response
    FOR710: Reverse-Engineering Malware: Advanced Code Analysis
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 12 Hands-On Labs

    View course detailsRegister
  • Slide 12 of 15

    FOR498: Digital Acquisition and Rapid Triage

    Essentials
    FOR498Digital Forensics and Incident Response
    FOR498: Digital Acquisition and Rapid Triage
    • GIAC Battlefield Forensics and Acquisition (GBFA)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 13 of 15

    FOR563: Applied AI for Digital Forensics and Incident Response: Leveraging Local Large Language Models

    newAI-FOCUSEDIntermediate
    FOR563Digital Forensics and Incident Response, Artificial Intelligence
    FOR509: Enterprise Cloud Forensics and Incident Response
    • 1 Day (Instructor-Led)
    • 6 CPEs / 6 Hours (Self-Paced)
    • Labs: 4 Hands-On Labs

    View course detailsRegister
  • Slide 14 of 15

    FOR500: Windows Forensic Analysis

    Essentials
    FOR500Digital Forensics and Incident Response
    FOR500: Windows Forensic Analysis
    • GIAC Certified Forensic Examiner (GCFE)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 22 Hands-On Labs

    View course detailsRegister
  • Slide 15 of 15

    FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

    Advanced
    FOR572Digital Forensics and Incident Response
    FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
    • GIAC Network Forensic Analyst (GNFA)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister