DF420 – Macintosh Examinations with EnCase Forensic Training

Course Information

The introduction of the iPod, iPhone, and iPad and the use of Intel-based processors have generated a steep increase in the sales of Macintosh computers, which are no longer restricted to the realm of desktop publishing and computer-aided design.

Computer users are attracted by the design of the Macintosh, its UNIX-like stability, ease-of-use, and its ability to run Microsoft® Windows. Most die-hard Windows users will refuse to return their Mac once they’ve started using it.

Course Outline

This hands-on course makes a departure from the world of Microsoft Windows and provides in depth instruction on analysing the various Macintosh operating system artifacts. The course’s topics will cover:

Acquisition of internal storage in an Apple Macintosh, and disk layout
HFS+ volume structure including in-depth analysis of the Catalog and Extents Overflow files and low-level file recovery
APFS container and volume structures, including data recovery using APFS checkpoints
Fundamental Mac OS X operations, Mac disk, and disk-image analysis and acquisition
Max OS X system, user, application, and Internet artifacts

Who Should Attend

This course is intended for EnCase users, working as law enforcement officers, corporate and private investigators, computer forensic examiners, and network security personnel. A basic understanding of the concepts of computer forensics is required. The class curriculum continues with the tuition provided in the DFIR-Building an Investigation course, continuing with a focus on conducting examinations of the Macintosh operating systems.

Course Pre-Requisites

Instructors

Course Duration / Dates

Course Fees

Download Course Outline