Macintosh Forensics presented at AUScert 2009

by Steve Whalen, Rob Spitler,

Summary : This two-day hands on training covers some of the most important topics found in Forward Discovery’s 5-day Macintosh Forensic Survival Course (MFSC) which has been designed by the top experts and practitioners in the field of Macintosh forensics. Forward Discovery is recognized as a leader in computer forensic and incident response training worldwide. Forward Discovery’s Macintosh Forensic Survival Course is designed knowing that an examiner must be able to successfully testify in a court of law, work within limited budgets and high case loads, develop comprehensive reports and process cases in a “no nonsense” and timely fashion. Our training was designed for the student to learn what is needed with a no one left behind attitude in a team work atmosphere with hands on training. Students will walk away with the skills necessary to properly seize, acquire, analyze and document an examination of an Intel-based Macintosh computer in a forensically sound manner. Unlike most instructional environments, our forensic training is conducted without relying on automated forensic tools, allowing the participant to apply what is learned to any tool in their forensic arsenal. The training was built upon a systematic approach for forensic examination of a Macintosh from start to finish, in a way that just makes logical sense.
Topics include:
• Forensic Review of Mac OS X.
• Configuration of a Mac for Forensic Use.
• Mac Security Issues and Filevault.
• Obtaining System Information.
• Bypassing Open Firmware Passwords.
• Collecting Volatile Data.
• Safe Acquisition and Imaging Techniques.
• Working with Forensic Images.
• Identifying Evidence in Macintosh Data Structures.
• Locating Evidence within Mac OS X.
All participants will receive copies of Forward Discovery’s Raptor Forensic Acquisition CDs along with training on its use.