FOR518: Cyber Security Training at SANS DFIRCON Miami 2024: Special Edition

Provided by

What You Will Learn

Digital forensic and incident response investigators have traditionally dealt with Windows machines, but what if they find themselves in front of a new Apple Mac or iOS device? The increasing popularity of Apple devices can be seen everywhere, from coffee shops to corporate boardrooms. Dealing with these devices as an investigator is no longer a niche skill - every analyst must have the core skills necessary to investigate the Apple devices they encounter.

This consistently updated FOR518 course provides the techniques and skills necessary to take on any Mac or iOS case without hesitation. The intense hands-on forensic analysis and incident response skills taught in the course will enable analysts to broaden their capabilities and gain the confidence and knowledge to comfortably analyze any Mac or iOS device. In addition to traditional investigations, the course presents intrusion and incident response scenarios to help analysts learn ways to identify and hunt down attackers that have compromised Apple devices.

"Again, SANS proves to provide the best technical training the market has to offer. Sarah has put together a comprehensive, coherent, challenging, and downright fun (is convivial too much?) course to attend. The FOR518 is everything I wanted it to be and so much more. I realize only now how apt a phrase "Impera Magis, Aliter Cogita" truly is: if you want to be successful at this course, embrace the command line, and abandon all ye know of Windows, because this is a different OS. I am thrilled to be taking this course and can't wait to dive even deeper into the limitless nuance MacOS & iOS forensics have to offer."
What Is macOS and iOS Forensics Analysis?

MacOS and iOS Forensic Analysis is the recovery, analysis, and interpretation of data stored on Apple devices.
Business Takeaways
  • Empower employees to investigate various crimes such as computer misuse, malicious device intrusions, corporate espionage, insider threats, and fraud.
  • Learn how various Apple data is stored and how to analyze using tool agnostic methods without the requirement for expensive commercial forensic tools.
  • Identify different forensic artifacts and nuances between the Apple platforms (macOS and iOS).
  • Understand the wealth of user related information that can show how a device was used or abused.
  • Learn the differences of performing forensics and security assessments when Apple devices are involved versus other industry-standard operating systems.
Skills Learned
  • Understand the nuances between macOS and iOS devices
  • Dive into how the Apple magic works between devices, and how that can help investigations
  • Determine the importance of each file system domain and how data is organized
  • Conduct temporal analysis of a system by correlating data files and log analysis
  • Profile how individuals used the system, including how often they used the system, what applications they frequented, and their personal system preferences
  • Identify remote or local data backups, disk images, or other attached devices
  • Find encrypted containers and FileVault volumes, understand keychain data, and crack Mac passwords
  • Analyze and understand macOS metadata and their importance in the Spotlight database, Time Machine, and Extended Attributes
  • Develop a thorough knowledge of the Safari Web Browser, Apple Mail and many more applications by looking that their internal databases
  • Identify communication with other users and systems though Messages, FaceTime, SSH remote login, Screen Sharing, and AirDrop
  • Conduct an intrusion analysis of an Apple devices for signs of compromise or malware
  • Understand the APFS file system and its significance with a bonus Lab to parse the APFS file system by hand, using only a reference sheet and a hex editor
  • Understand how the Apple Ecosystem of devices work and interact with each other. From AirTags, to VisionPro, to the Apple Watch, to HomeKit - all these Apple technologies will have artifacts on macOS and iOS devices.
Hands-On macOS and iOS Forensics Training

The hands-on portion of FOR518 is unique and especially suited to those who love to dig into the data. The labs were created to show how Apple data is stored and how to interpret it without the need for an expensive commercial utility. These labs will allow a student to get a hands-on perspective of the data that is shown in the class presentations and apply the concepts to the course dataset. The labs in this course are a major component of the learning experience and enables the student to increase their success in applying various analysis course topics after they leave the classroom.

"Labs were very accurate and relevant to the topics we were learning during class. Very entertaining, interesting and challenging."

"The exercises were complicated, but the walkthroughs and questions were easily digestible, which is hard to do! Some of the more recent classes I've taken had such complicated labs that you couldn't easily track back to a mistake. Sarah's designed the labs to be just as complicated, if not more so, while using language, and questions, to make troubleshooting so much easier."

"Really enjoyed the labs, love that it's highly encouraged to use the command line tools. Nothing against any vendor and their GUI, but my goal since starting in cyber security was to use the command line as much as possible (without being impractical). This course is a master class in that."
Syllabus Summary
  • Section 1: An introduction to the Apple platforms including data storage, file analysis, and data interpretation.
  • Section 2: Log analysis and review of various user and system settings.
  • Section 3: It's all about the metadata stored within multiple file system artifacts.
  • Section 4: Every application is different, review how each app stores it's data.
  • Section 5: All other things; from pattern of life analysis, to password cracking, to malware, and "one more thing!"
  • Section 6: The Apple Forensics Challenge, take what you learn in class and compete in a CTF-style challenge against others.
Additional Free Resources
  • macOS and iOS Forensic Analysis
  • SANS FOR518 Reference Sheet
  • SQlite Pocket Reference Guide
What You Will Receive
  • Course ISOs loaded with dataset and tools.
  • MP3 audio files of the complete course lecture
Course topics
  • Advanced Computer Forensics Methodology
  • Apple Specific Acquisition and Live Response Collection
  • File System Data Analysis
  • Metadata Analysis
  • Recovery of Key Mac and iOS Files
  • Database Analysis
  • Volume and Disk Image Analysis
  • Analysis of Mac Technologies, including Time Machine, Spotlight, and FileVault
  • Analysis of Apple Devices including AirTags, Apple Watch, FindMy, HomeKit as they interact with the macOS and iOS counterparts
  • Advanced Log Analysis and Correlation
  • In-Depth APFS File System Examination
What Comes Next?

Depending on your current role or future plans, one of these courses is a great next step in your digital forensics and incident response journey:
  • FOR585
  • SEC575
  • SEC573

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...