Staying Ahead of Mac Investigations with Apple Forensic Training

BlackBag’s Apple® Forensic Investigations (AF1) class focuses on evidence artifacts rather than parsed data. The idea is that attendees learn how to verify data found during analysis. The course prepares examiners to understand what the data is saying; how the user’s interaction with the OS affects the data, and how the OS and the related file system handles the artifacts.

“Apple changes macOS and iOS every year,” says Bruce Hunter, Senior Forensic Engineer at BlackBag. “There are a number of features and artifacts that are added through supplemental updates throughout the lifecycle of the operating system version; an example of this is iCloud File Sharing that was added to macOS 10.15.4. Some of the changes to the OS affect the results of your analysis. When I think back I realize how different analyzing a Mac is today compared to just a few years ago,” he explains.

Most examiners come to BlackBag classes with a Windows forensic background. Analyzing a Mac is completely different than analyzing a Windows computer. macOS handles data, tracks data, and maintains different data than Windows. If you analyze a Mac like you analyze a Windows system, you will miss data.

The AF1 class is frequently updated to reflect changes in the operating system; the following changes have been recently made:

  • The class reflects the latest macOS version focusing on the new structure of macOS 10.15. Practical examples are given showing how a Mac is upgraded to macOS 10.15 and how the structure of macOS 10.15 affects your analysis.
  • Imaging methodology for T2 chip Macs using MacQuisition is detailed including an explanation of the imaging process and pitfalls an examiner could run into.
  • Workflow charts for the triage and imaging of Macs with varying hardware configurations, file systems, encryption mechanisms, and in varying states
  • Evidence analysis for the latest version of Safari
  • iCloud data from Apple ingestion and investigation. Showing user iCloud data directly from Apple, how this data looks when received from Apple, how it can be ingested in BlackLight and how to analyze the data received from a user’s iCloud account.
  • Hands on analysis of iCloud file sharing that was introduced with macOS 10.15.4. This new feature greatly affects what we normally see when files are downloaded on a Mac.
  • Photos application has been completely updated for macOS 10.15. Our course covers an in-depth analysis of the very formidable Photos database.

Preparations are already in place for updating AF1 to include artifacts from macOS 11 BigSur.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Stay ahead of Mac investigations with BlackBag’s Apple Forensics Investigations class, which is offered through instructor-led in person, instructor-led virtual, and on-demand self-paced options.

Learn more about Apple Forensic Investigations and additional BlackBag training course options here.

About BlackBag Technologies:

BlackBag® Technologies, a Cellebrite company, offers innovative forensic acquisition and analysis tools for both Windows and macOS based computers, as well as iOS and Android mobile devices. Its forensic software is used by hundreds of federal, state, and local law enforcement agencies around the world, as well as by leading corporations and consultants to investigate all types of digital evidence associated with both criminal, civil and internal investigations. BlackBag also develops and delivers expert forensics training and certification programs, designed for both novice and experienced forensic professionals. To learn more, visit www.blackbagtech.com or email [email protected].

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Desi and Si discuss different online programming courses and what they think about the popular platform, Udemy. They also talk about Flipper, Dev boards, and Raspberry Pi, and delve into the fascinating phenomenon of running the classic game Doom on unlikely devices.

Throughout the episode, Desi and Si share their digital forensics expertise, referencing some of the cases they have been working on and highlighting particular methodologies and technologies that have an impact on cybersecurity.

Show Notes:

100 Days of Code: The Complete Python Pro Bootcamp for 2023 - https://www.udemy.com/course/100-days-of-code/

Domestika - https://www.domestika.org/en

MIT OpenCourseWare - https://www.youtube.com/@mitocw 

MasterClass - https://www.masterclass.com/

Raspberry Pi 400 Complete Kit - https://core-electronics.com.au/raspberry-pi-400-kit.html

Flipper Discord - https://discord.com/invite/flipper

Flipper Zero - https://flipperzero.one/

This Programmer Figured Out How to Play Doom on a Pregnancy Test - https://www.popularmechanics.com/science/a33957256/this-programmer-figured-out-how-to-play-doom-on-a-pregnancy-test/

Here’s a dude playing Doom Eternal on his fridge - https://www.polygon.com/2020/10/13/21514933/doom-eternal-refrigerator-door-samsung-smart-refrigerator-xbox-game-pass-richard-mallard

Doom hacker gets Doom running in Doom - https://www.pcgamer.com/doom-hacker-gets-doom-running-in-doom/

Doom Running On A Calculator Powered By Old Potatoes - https://kotaku.com/doom-running-on-a-calculator-powered-by-old-potatoes-1845374069

GoldenEra - https://www.imdb.com/title/tt11753760/

Racing the Beam - https://en.wikipedia.org/wiki/Racing_the_Beam

High Score (TV series) - https://en.wikipedia.org/wiki/High_Score_(TV_series)

Microcontroller Courses (Udemy) - https://www.udemy.com/topic/microcontroller/

The story of Final Fantasy XIV’s renegade do-good modders - https://www.pcgamesn.com/final-fantasy-xiv/ffxiv-modders-renegade-do-gooders

Logical fallacies - https://yourlogicalfallacyis.com/

In this episode of the Forensic Focus podcast, Desi and Si discuss different online programming courses and what they think about the popular platform, Udemy. They also talk about Flipper, Dev boards, and Raspberry Pi, and delve into the fascinating phenomenon of running the classic game Doom on unlikely devices.

Throughout the episode, Desi and Si share their digital forensics expertise, referencing some of the cases they have been working on and highlighting particular methodologies and technologies that have an impact on cybersecurity.

Show Notes:

100 Days of Code: The Complete Python Pro Bootcamp for 2023 - https://www.udemy.com/course/100-days-of-code/

Domestika - https://www.domestika.org/en

MIT OpenCourseWare - https://www.youtube.com/@mitocw

MasterClass - https://www.masterclass.com/

Raspberry Pi 400 Complete Kit - https://core-electronics.com.au/raspberry-pi-400-kit.html

Flipper Discord - https://discord.com/invite/flipper

Flipper Zero - https://flipperzero.one/

This Programmer Figured Out How to Play Doom on a Pregnancy Test - https://www.popularmechanics.com/science/a33957256/this-programmer-figured-out-how-to-play-doom-on-a-pregnancy-test/

Here’s a dude playing Doom Eternal on his fridge - https://www.polygon.com/2020/10/13/21514933/doom-eternal-refrigerator-door-samsung-smart-refrigerator-xbox-game-pass-richard-mallard

Doom hacker gets Doom running in Doom - https://www.pcgamer.com/doom-hacker-gets-doom-running-in-doom/

Doom Running On A Calculator Powered By Old Potatoes - https://kotaku.com/doom-running-on-a-calculator-powered-by-old-potatoes-1845374069

GoldenEra - https://www.imdb.com/title/tt11753760/

Racing the Beam - https://en.wikipedia.org/wiki/Racing_the_Beam

High Score (TV series) - https://en.wikipedia.org/wiki/High_Score_(TV_series)

Microcontroller Courses (Udemy) - https://www.udemy.com/topic/microcontroller/

The story of Final Fantasy XIV’s renegade do-good modders - https://www.pcgamesn.com/final-fantasy-xiv/ffxiv-modders-renegade-do-gooders

Logical fallacies - https://yourlogicalfallacyis.com/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_5f72B6DD5wk

Programming Languages, Flipper And Gaming

Forensic Focus 74 views 24th May 2023 11:43 am

Latest Articles

Share to...