InfoSec teams need to refresh Apple forensics skills as cyber threats increase says expert

UK – With Apple products now accounting for over 15%* of global operating systems across desktops, laptops, tablets and smartphones; Sarah Edwards believes that information security professionals need to update digital forensics skills to meet both a growing threat and rising demand for their expertise.

As author of the SANS course, FOR518: Mac Forensic Analysis, Edwards is a senior digital forensic analyst who has worked with various federal law enforcement agencies performing a variety of investigations including computer intrusions, criminal, counter-intelligence, counter-narcotic, and counter-terrorism.

"As Apple Mac systems become increasingly popular in the workplace they also become a greater target for attack," says Edwards pointing to a study last year by security company Kaspersky Labs that tracked nearly 1500** new malware programs targeting OS X during 2014, a 13% increase on the previous year.

"It's fair to say that Apple actually does a good job patching and updating its operating systems but Macs are not immune from malware and some of the new attacks we are seeing are the result of vulnerabilities based on Unix programs that are older than Macs themselves," says Edwards.

The frequent updating of OS X and new features added in a release cycle that is typically twice as frequent as Microsoft Windows means that InfoSec security professionals working on Apple systems need to refresh skills more often. "The other issue is that a lot of the information for forensically examining Apple systems is simply not documented in public or developer forums and there are fewer tools to choose from," she adds.

Edwards will be teaching an updated SANS FOR518: Mac Forensic Analysis course at the upcoming annual Digital Forensics and Incident Response (DFIR) Summit and Training event in Prague this October.

"The course is aimed at investigators with a working knowledge of forensics and is particularly pertinent for individuals coming over from a Windows background as many of the core skills are transferable while this course provides the tools and techniques necessary to take on any Mac case without hesitation."

The 6 day course teaches Mac fundamentals including how to analyse and parse the Hierarchical File System (HFS+) by hand and recognise the specific domains of the logical file system and Mac-specific file types. The course is offered in the context around Mac-specific technologies, including Time Machine, Spotlight, iCloud, Versions, FileVault, AirDrop, and FaceTime and includes advanced analysis and correlation to determine how a system has been used or compromised.

The course runs from the 5th to the 10th of October at SANS DFIR Prague and the week concludes with a Summit packed with trending talks and leading speakers covering the most innovative DFIR topics. For more information on the event, or to register, please visit:



Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (