FT220, Macintosh Forensic Examinations (McFE)
Who Should Attend:
Training is available to DCIO and CI investigators and prospective lab examiners.
Prerequisites:
TT110 (INCH), RT120 (CIRC), and FT210 (WFE-E) or applicable Test outs
Duration:
10 Days
Course Description:
This course is a combination of lecture, instructor-led demonstrations, and
hands-on practical exercises that introduce investigators and analysts to
the fundamental concepts necessary to perform a forensic examination of a
Macintosh computer system.
Objectives:
- Explain the basics of how Apple Computer hardware and software work
- Setup Macintosh and Windows Forensic Workstations
- Import digital evidence into EnCase 6 and conduct various investigative tasks
- Import digital evidence into Macintosh environment and conduct further analysis
- Apply knowledge of Apple file systems and applications to forensic examinations of Apple
- Computer systems
- Document in a report how the evidence supports the investigation
Topics Covered
Apple Computer Technologies
- Apply knowledge of Apple hardware, software, and file systems to forensic examinations
- Apple hardware such as the PowerBook G4, Power Mac G5, iMac, iBook, and iPod
- OS X and Apple software for Internet browsing, e-mail, digital photography, and office productivity
- HFS, Extended HFS+, and other file systems supported by OS X
Analysis
- Conduct forensic examinations of Macintosh systems using EnCase 6 and the Macintosh native environment
- Examining Web-related evidence including Web-enabled features of iDisk and .Mac
- Analyzing e-mail
- Analyzing artifacts created by Macintosh software Applications
- Analyzing OS X system data
- Performing file vault analysis
- Searching and identifying files using EnCase 6
- Handling encryption