Mac OS X Forensics

I haven't done it myself, but I've heard from those who have that BlackBag's training courses on Mac forensics are excellent.

http//www.blackbagtech.com/

Take a look at Forward Discovery's Mac Forensic Survival Course. It is for both the new and experienced Mac user. The course focuses on using a Mac as the forensic platform when examining other Mac computers. It covers everything you need to know from navigating the GUI, to where the evidence is located and reporting the findings.

The nice thing about the course is that it doesn't focus on using a specific software or suite. They use the Mac's built in features and free or low cost software, all of which are included in the class CD that the student takes home.

They also have the Raptor forensic imaging CD that will boot Macs and PCs. It is free and works great.

www.forwarddiscovery.com

Dave

7Safe comes out with the CMFS course in September 2009 and it looks good. Here's a snippet of a recent interview with one of the 7Safe course developers

"Can you tell me what the main subject areas (contents) of the CMFS course are?”

We start with a wider introduction to the topic, including some historical stuff like What have Mac OS, Darwin, NeXTSTEP/OpenStep and BSD got to do with Mac OS X? From there we follow a path through OS X (system settings, user accounts, logging and other activity history, etc) that is focussed not on “what can a Mac do” but on “what would an investigator actually like to know”. And there is plenty to know. We also discuss the internals of HFS+ quite in depth, which I am sure will be surprisingly interesting to many The file system is quite unlike FAT and NTFS and this will be a great help in understanding certain effects investigators will observe.

“What inspired 7Safe to bring out a Mac forensics course?”

Most general-purpose forensic training is essentially “Windows XP Forensics”, as that is the environment everything is geared towards. Whether it is user account details, system settings or the behaviour of time stamps when creating, moving or copying files – the facts presented are either implicitly or explicitly focussed on Windows XP. And other environments, particularly non-Windows environments, of course, just don’t behave the same way. This is an accepted truth on the face of it, but most experienced investigators have certain expectations ingrained so deeply, it still comes as a surprise when facing the unknown operating system.

Developing the Mac Forensics course is, of course, a response to an increase in demand for Macs and as a consequence an increase in demand for Mac Forensics. I wouldn’t expect us to be developing a BeOS Forensics course anytime soon – the fact that there would likely be some interesting differences to observe notwithstanding – but Macs have reached critical mass, if you like.

“How many hands-on practical exercises are there over the 3 days?”

7Safe training has always had a strong preference for exercises as part of training. This course is quite unlike most of our others Not because of a lack of exercises but because the exercises are even more part of the training – “spontaneous” practical activity in response to a statement made in a slide or a delegates’ question will be the norm, rather than the exception on this course which will make this whole course feel more like a workshop than a training course – but make no mistake, the delegates will be taking substantial factual knowledge home with them as well. On that front we are true to the 7Safe style.

“What kind of exercises are there? Any particular favourites?”

Let’s not kid ourselves, there are other Mac Forensics courses on the market. They will equip every student with one or more Macs to play with and have loads of interesting exercises, no doubt. Ours isn’t like that Our aim is not to get people to use Macs, we are instead taking the slightly surprising route of investigating images of Macs using standard off-the-shelf (Windows-based!) forensic software. In other words The whole point of our approach is to enable people to use their forensic environment, whichever one that may be, and investigate Macs in much the same way as any other system. And what I like best of our approach is how it demystifies the whole “Mac Forensics” bubble in the same way as demystifying always works It’s a mystery only if one lacks the knowledge.

“Did you find out anything surprising or interesting whilst developing the course?”

I knew about Mac Forensics, of course. What I was most aware of was the many claims towards what things cannot be done in a forensic investigation if you’re not using a Mac to investigate a Mac. At times it felt like a miniature version of Myth Busters when yet another claim fell by the wayside with nothing more to say about it than “they simply didn’t know you could do that, did they?”. Sadly, no exploding caravans or microwaves involved, sorry.

“What do you think people will find most valuable on this course?”

When people look for courses on Mac Forensics, I think what they really hope to achieve is the same level of detail in Mac investigations they’ve become accustomed to from the Windows world. Just think of a Windows-based investigation and immediately people will know to look for information like last logon, system installation date and various other things. The investigation turns to a Mac and all for a sudden it’s ok to just find the relevant files. Getting over that and getting Mac investigations to the same standard is obviously the goal – coming out of this course and realising how much of that has instantly become achievable (and even understanding what things wouldn’t be as they’re different on a Mac) will be of great value to many people.

http//www.7safe.com/applied_mac_forensics.htm

I just took the AccessData Mac Forensics course. Skip it for now. It's a work in progress.

jdunn, the 7Safe course should meet your requirements
———————————————————

Introduction
Mac OS X vs. Mac OS
NeXT/BSD
Darwin
Apple Hardware
Mac OS X Server

System Settings
Key Directories
Time Zone and Synchronisation
System Installation
Networking
Startup

User Accounts
Home Directories
Logon Settings/Autologin
Password Storage
User Details

Activity Logging
System and Application Logs
Command and Application History
System Boot/Shutdown

Partitioning
Apple Partition Map
GUID Partition Table

File System Basics
File System Support in Mac OS X
HFS+ vs. HFS
HFSX
HFS+ Time Stamps
Special Files vs. User Files

HFS+ in Detail
Volume Headers
Special Files
B-Trees
Hot Files
Resource Forks
iNode Files/Hard Links

Common Applications
iChat
iCal
Mail
iPhoto
iWorks
Mac Office

Web Activity
Safari
Firefox3
History, Cache, Settings

Files behind the Scenes
Temporary Files
Print and Preview
Trash
Sleepimage
Swapfiles

Time Machine
Automated Backups in OS X
Time Capsule