Staying Ahead of Mac Investigations with Apple Forensic Training

BlackBag’s Apple® Forensic Investigations (AF1) class focuses on evidence artifacts rather than parsed data. The idea is that attendees learn how to verify data found during analysis. The course prepares examiners to understand what the data is saying; how the user’s interaction with the OS affects the data, and how the OS and the related file system handles the artifacts.

“Apple changes macOS and iOS every year,” says Bruce Hunter, Senior Forensic Engineer at BlackBag. “There are a number of features and artifacts that are added through supplemental updates throughout the lifecycle of the operating system version; an example of this is iCloud File Sharing that was added to macOS 10.15.4. Some of the changes to the OS affect the results of your analysis. When I think back I realize how different analyzing a Mac is today compared to just a few years ago,” he explains.

Most examiners come to BlackBag classes with a Windows forensic background. Analyzing a Mac is completely different than analyzing a Windows computer. macOS handles data, tracks data, and maintains different data than Windows. If you analyze a Mac like you analyze a Windows system, you will miss data.

The AF1 class is frequently updated to reflect changes in the operating system; the following changes have been recently made:

  • The class reflects the latest macOS version focusing on the new structure of macOS 10.15. Practical examples are given showing how a Mac is upgraded to macOS 10.15 and how the structure of macOS 10.15 affects your analysis.
  • Imaging methodology for T2 chip Macs using MacQuisition is detailed including an explanation of the imaging process and pitfalls an examiner could run into.
  • Workflow charts for the triage and imaging of Macs with varying hardware configurations, file systems, encryption mechanisms, and in varying states
  • Evidence analysis for the latest version of Safari
  • iCloud data from Apple ingestion and investigation. Showing user iCloud data directly from Apple, how this data looks when received from Apple, how it can be ingested in BlackLight and how to analyze the data received from a user’s iCloud account.
  • Hands on analysis of iCloud file sharing that was introduced with macOS 10.15.4. This new feature greatly affects what we normally see when files are downloaded on a Mac.
  • Photos application has been completely updated for macOS 10.15. Our course covers an in-depth analysis of the very formidable Photos database.

Preparations are already in place for updating AF1 to include artifacts from macOS 11 BigSur.

Stay ahead of Mac investigations with BlackBag’s Apple Forensics Investigations class, which is offered through instructor-led in person, instructor-led virtual, and on-demand self-paced options.

Learn more about Apple Forensic Investigations and additional BlackBag training course options here.

About BlackBag Technologies:

BlackBag® Technologies, a Cellebrite company, offers innovative forensic acquisition and analysis tools for both Windows and macOS based computers, as well as iOS and Android mobile devices. Its forensic software is used by hundreds of federal, state, and local law enforcement agencies around the world, as well as by leading corporations and consultants to investigate all types of digital evidence associated with both criminal, civil and internal investigations. BlackBag also develops and delivers expert forensics training and certification programs, designed for both novice and experienced forensic professionals. To learn more, visit www.blackbagtech.com or email [email protected].

Leave a Comment