Staying Ahead of Mac Investigations with Apple Forensic Training

BlackBag’s Apple® Forensic Investigations (AF1) class focuses on evidence artifacts rather than parsed data. The idea is that attendees learn how to verify data found during analysis. The course prepares examiners to understand what the data is saying; how the user’s interaction with the OS affects the data, and how the OS and the related file system handles the artifacts.

“Apple changes macOS and iOS every year,” says Bruce Hunter, Senior Forensic Engineer at BlackBag. “There are a number of features and artifacts that are added through supplemental updates throughout the lifecycle of the operating system version; an example of this is iCloud File Sharing that was added to macOS 10.15.4. Some of the changes to the OS affect the results of your analysis. When I think back I realize how different analyzing a Mac is today compared to just a few years ago,” he explains.

Most examiners come to BlackBag classes with a Windows forensic background. Analyzing a Mac is completely different than analyzing a Windows computer. macOS handles data, tracks data, and maintains different data than Windows. If you analyze a Mac like you analyze a Windows system, you will miss data.

The AF1 class is frequently updated to reflect changes in the operating system; the following changes have been recently made:

  • The class reflects the latest macOS version focusing on the new structure of macOS 10.15. Practical examples are given showing how a Mac is upgraded to macOS 10.15 and how the structure of macOS 10.15 affects your analysis.
  • Imaging methodology for T2 chip Macs using MacQuisition is detailed including an explanation of the imaging process and pitfalls an examiner could run into.
  • Workflow charts for the triage and imaging of Macs with varying hardware configurations, file systems, encryption mechanisms, and in varying states
  • Evidence analysis for the latest version of Safari
  • iCloud data from Apple ingestion and investigation. Showing user iCloud data directly from Apple, how this data looks when received from Apple, how it can be ingested in BlackLight and how to analyze the data received from a user’s iCloud account.
  • Hands on analysis of iCloud file sharing that was introduced with macOS 10.15.4. This new feature greatly affects what we normally see when files are downloaded on a Mac.
  • Photos application has been completely updated for macOS 10.15. Our course covers an in-depth analysis of the very formidable Photos database.

Preparations are already in place for updating AF1 to include artifacts from macOS 11 BigSur.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Stay ahead of Mac investigations with BlackBag’s Apple Forensics Investigations class, which is offered through instructor-led in person, instructor-led virtual, and on-demand self-paced options.

Learn more about Apple Forensic Investigations and additional BlackBag training course options here.

About BlackBag Technologies:

BlackBag® Technologies, a Cellebrite company, offers innovative forensic acquisition and analysis tools for both Windows and macOS based computers, as well as iOS and Android mobile devices. Its forensic software is used by hundreds of federal, state, and local law enforcement agencies around the world, as well as by leading corporations and consultants to investigate all types of digital evidence associated with both criminal, civil and internal investigations. BlackBag also develops and delivers expert forensics training and certification programs, designed for both novice and experienced forensic professionals. To learn more, visit www.blackbagtech.com or email training@blackbagtech.com.

Leave a Comment

Latest Videos

Digital Forensics News Round Up, February 28 2024 #digitalforensics #dfir

Forensic Focus 7 hours ago

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles