Why You Should Take the SANS Mac Forensics Class

I had an experience a few months ago in which one of our cases required an out-of-state collection. The client didn’t want to pay travel expenses so they asked for a local forensics expert to image the system and then conduct the analysis. When he arrived on site he called the client and explained that the computer was a Mac and, as such, he was not able to image the device. He “didn’t do Macs”. He explained that he would have to purchase some equipment and wait for it to be delivered before continuing. I was looped into the call and I explained to him that the collection could be accomplished by virtue of a forensic boot disc. After walking him through the process he was able to collect the MacBook just fine.

Two weeks later this same man told the client that he couldn’t find any evidence on the image. The client was prepared to take his analysis at face value. I managed to persuade the client, however, to let me take a look and see what I could find. After looking at a few artifacts I reported my findings to the client. They were as equally amazed at what we had found as they were horrified by the fact that the other investigator had found nothing after two weeks of analysis.

In a world where forensic investigators struggle to keep up with the latest technology, we should be investing heavily in becoming educated and getting informed. If we don’t we may well find ourselves being bypassed by younger, brighter analysts. The knowledge that was so cutting-edge 5 years ago is, today, largely outdated. You know how to examine a Windows XP machine? Great! Why not go back to 2010 when that knowledge was relevant.

With consumer confidence in Microsoft (and the subsequent sales on PCs) on the decline we’re starting to see Apple computers flood the market place, not only in consumer markets but also in business. We need to adapt and learn.

Today rounded off the first run of the SANS FOR518 Mac Forensics class. I was lucky enough to attend as a student.

Sarah Edwards (@iamevltwin) has spent the last several months putting the material together and I have to say that it is fantastic. The content is very detailed and provides excellent information on the following:

  • HFS+ File System
  • System Settings
  • User Settings
  • Apple Mail
  • Safari
  • iMessage and Other Instant Messaging Clients
  • iWork
  • iCloud
  • System Logs
  • OSX Extended Attributes
  • Time Machine Analysis
  • Mac Malware
  • Mac Memory Forensics
  • iOS Analysis
  • A LOT more.

To pack this into 5 days of instruction incredible. While I’ve been involved with SANS for a couple of years, this is the first time I’ve actually been an attendee and I found the class to be a great mix low-level “bits & bytes” analysis and high level application analysis.

Don’t get me wrong, if you aren’t familiar with the command line for Unix-based systems, you’re in for a steep learning curve. While you will spend time looking at a few GUI forensics tool, the majority of the demonstrations and the exercises will require at least partial knowledge of command-line usage.

I have a fair amount of experience investigating Apple systems. In fact Apple products appear to be the core (get it?) of what we do these days. As such I would not have expected to learn as much as I did but there were times this week when my jaw dropped at one of Sarah’s revelations or one of Hal Pomeranz’s demonstrations. I learned a great deal  and am delighted at the fact that I was able to attend.

Unless you want to be stuck in the same position as the guy I mentioned earlier, I would strongly advise you to sign up for this class.

More information about the class can be found here:



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.