The latest release of Mac OSX and iOS devices utilizes a new file system called APFS. In this webcast, digital investigators will learn how the file system differs from prior Apple and Microsoft filesystems and how that will impact investigations. Derrick will cover how data storage and encryption has changed and what techniques can be used to ensure you acquire an image you can successfully examine. In addition, we'll examine why the new write on copy features used during the deletion process leave more artifacts for examiners to trace than prior Mac file systems. Understanding these changes and the ability to identify these artifacts will be critical for all forensic investigators. At the end of this session forensic examiners will know the following: how to identify a computer with APFS, what techniques to consider when acquiring APFS drives, the write on copy feature file history implications, and how to locate that information when handling encrypted Macs.
Join SANS at the annual Digital Forensics & Incident Response (DFIR) Summit, June 7-14, in Austin, TX. This is the most comprehensive DFIR event of the year, bringing together an influential group of experts, immersion-style training, and industry networking opportunities in one place. Over the course of this training event, you'll enjoy: