MacOS Forensic Analysis
MacOS Forensics course will provide participants with a general knowledge identifying, collecting and analyzing the artifacts and evidence on Mac OS systems. The participants will learn Mac OS introduction, operating system and services, HFS+/HFS, APFS file system basics, file system acquisition, shell, networking, user accounts, user login history, recovering deleted files, collecting volatile data, forensic usage of the command line, and locating evidence.
3.1. HFS+ Basics
3.2. Disk & Volume & Partition
3.3. Details
3.4. File System Events Store data base analysis
3.5. FileVault and FileVault2
5.1. Startup files
5.2. Link Files
5.3. Time stamps formats
5.4. Mac OS X File System Domains
5.5. User & Local & System & Network Domain
5.6. Plist files
6.1. User home folder
6.2. User settings
6.3. Cache data
6.4. User account data
6.5. Last logon time
6.6. Keychain analysis
6.7. User autorun files
6.8. Bash history
6.9. Downloaded files
6.10. Last accessed files and folders
6.11. Safari history
6.12. Mail analysis
6.13. iChat analysis
6.14. Facetime analysis
6.15. iCal analysis
6.16. Phonebook
6.17. iTunes and iPhoto
6.18. Spotlight
6.19. Airdrop