Certified Mac Forensics Specialist (CMFS)

Provided by

Enquire about this course


This specialist-level course is for experienced forensic investigators whose role requires them to expertly examine Apple devices, giving them knowledge and confidence in handling the data and forensic evidence in Mac OS X and iOS environments.


Apple is becoming increasingly popular and as a consequence, computers running Mac OS X operating systems are increasingly becoming the subject of forensic investigation.

This three-day course concentrates on identifying what is, how can I find, extract, decode and interpret the data stored on an Apple device from a forensic practitioner;s perspective using hands-on exercises to demonstrate and reinforce understanding.


Completion of the 7Safe CFIP course is highly recommended. Otherwise you will need:
  • Knowledge of the principles and guidelines surrounding forensic investigation
  • Basic knowledge of data structures, e.g. binary and hexadecimal
Who should attend?

Forensic practitioners, systems administrators and cyber investigators who want to extend their experience with Window-based systems to the Mac OS X and iOS environments.


Delegates will learn how to

  • You will learn the underlying data structures of Apple devices and the many forensic artefacts specific to Mac OS X and iOS.
  • You will practice using real life examples to identify, find, extract, decode and interpret the data stored on an Apple device from a forensic practitioner;s perspective

This course will give you the opportunity to:
  • Learn effective techniques for the identification and interpretation of forensic artefacts on OS X and iOS devices
  • Understand Apple disk partitioning and develop confidence when identifying and isolating artefacts from Apple devices
  • Improve your ability to respond effectively to a wider range of forensic incidents

  • Apple device and OS development
  • Review of forensics methodology and best practice
  • Pro;s and con;s of using Windows based forensic software
  • Latest OS X features
  • Data structures - Plists & SQLite & Base64
  • Seizure and imaging
  • Disk Partitioning - APM & GPT
  • Apple File Systems
  • HFS+ in detail from a forensic perspective
  • File Vault - encryption
  • System Configuration
  • User Accounts
  • Log Files
  • Printing
  • Trash
  • Popular Apps - E-mail, iMessage, iWorks
  • Safari - Web browser
  • Time Machine
  • Introduction to iOS
  • Seizure & Imaging (iPhone / iPad)
  • Device specific artefacts
  • iOS device backups
  • Virtual machines
  • Identifying, extracting and investigating virtual machines such as Parallels and VMWare Fusion
  • OS X Versions
  • How file versioning works, where they are stored and their forensic value
  • Live data capture
  • How to capture live data from a machine running OS X
  • Enquire

    Start date Location / delivery
    No fixed date United Kingdom Book now
    01132207150 01132207150

    Related article

    QA's practice director of Cyber Security, Richard Beck, rounds up the latest cyber security news.