Forensic Focus, Malware Research |

Full Version: Mac Forensic Analysis Description
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
C o u r s e D a y D e s c r i p t i o n s

518.1 Mac Essentials and the HFS+ File System
This section introduces the student to Mac system fundamentals such as acquisition, the Hierarchical File System (HFS+), timestamps, and logical file system structure. Acquisition fundamentals are the same with Mac systems, but there are a few Mac-specific tips and tricks that can be used to successfully and easily collect Mac systems for analysis. The building blocks of Mac Forensics start with a thorough understanding of the HFS+. Utilizing a hex editor, the student will learn the basic principles of the primary file system implemented on Mac OS X systems. Students comfortable with Windows forensic analysis can easily learn the slight differences on a Mac system: the data are the same, only the format differs.

518.2 User Domain File Analysis
The logical Mac file system is made up of four domains; User, Local, System, and Network. The User Domain contains most of the user-related items of forensic interest. This domain consists of user preferences and configurations, e-mail, Internet history, and user-specific application data. This section contains a wide array of information that can be used to profile and understand how individuals use their computers.

518.3 Investigating the User via Memory Artifacts
The System and Local Domains contain system-specific information such as application installation, system settings and preferences, and system logs. This sections details basic system information, GUI preferences, and system application data. A basic analysis of system logs can give a good understanding of how a system was used... or abused. Timeline analysis tells the story of how the system was used. Each entry in a log file has a specific meaning and may be able to tell how the user interacted with the computer. The log entries can be correlated with other data found on the system to create an in-depth timeline that can be used to solve cases quickly and efficiently. Analysis tools and techniques will be used to correlate the data and help the student put the story back together in a coherent and meaningful way.

518.4 Advanced Analysis Topics
Mac systems implement some technologies that are available only to those with Mac devices. These include data backup with Time Machine, Versions, and iCloud; extensive file metadata with Extended Attributes and Spotlight; and disk encryption with FileVault. Other advanced topics include data hidden in encrypted containers, Mac intrusion and malware analysis, Mac Server, and Mac memory analysis.

518.5 iOS Forensics
From iPods to iPhones to iPads, it seems everyone has at least one of these devices. Apple iDevices are seen in the hands of millions of people. Much of what goes on in our lives is often stored on them. Forensic analysis of these iOS devices can provide an investigator with an incredible amount of information. Data on these iOS devices will be explored to teach the student what key files exist on them and what advanced analysis techniques can be used to exploit them for investigations.

518.6 The Mac Forensics Challenge
Students will put their new Mac forensics skills to the test by completing the following tasks:
• In-Depth HFS+ File System Examination
• File System Timeline Analysis
• Advanced Computer Forensics Methodology
• Mac Memory Analysis
• File System Data Analysis
• Metadata Analysis
• Recovering Key Mac Files
• Volume and Disk Image Analysis
• Analysis of Mac Technologies including Time Machine, Spotlight, and FileVault
• Advanced Log Analysis and Correlation
• iDevice Analysis and iOS Artifacts