25,000+ Courses Nationwide
0345 4506120

Certified Mac Forensics Specialist

This specialist-level course is for experienced forensic investigators whose role requires them to capture, examine and interpret data from Mac systems.

Apple is increasing its market share in both the private and commercial/corporate marketplace. This three-day course concentrates on identifying what is, how can I find, extract, decode and interpret the data stored on an Apple device from a forensic practitioner’s
perspective, using hands-on exercises to demonstrate and reinforce understanding.

Who should attend?
Forensic practitioners, systems administrators and cyber investigators who want to extend their experience with Window-based systems to the Mac environment.

Select specific date to see price, venue and full details.

Learning Objectives

Upon completion of the course you will have:

  • Collected volatile data from a live Mac system
  • Explored different approaches to imaging and decrypting Mac systems
  • An understanding of the new APFS file system
  • Practical knowledge of Apple partitioning schemes and the HFS+ file system
  • Examined a Mac system for configuration of user accounts, Application/data
  • An understanding of Time Machine
  • Interpreted data from unified logs, plists and SQLite databases

Key Benefits

This course will give you the opportunity to:

  • Develop confidence when faced with Apple systems and required to collect data from Mac systems
  • Learn effective techniques to process and interpret data and artefacts from Mac OS
  • Learn effective techniques for the identification and interpretation of forensic artefacts on Apple systems
  • Improve your ability to respond effectively to a wider range of forensic incidents


Completion of the Certified Forensic Investigation Practitioner course is highly recommended. Otherwise you will need:

  • Knowledge of the principles and guidelines surrounding forensic investigation
  • Basic knowledge of data structures, e.g. binary and hexadecimal

Course Content

1. Brief history of Apple and the current marketplace

2. Key differences between Windows and Mac forensics

3. System basics: architecture, device management and permissions

4. Techniques to examine Plists, Base64 & SQLite

5. Apple volume management: Core Storage, APFS and encryption

6. Live data collection - imaging, RAM, ioreg and volatile data

7. Introduction to MAC memory analysis

8. Imaging seized MAC’s

9. Decrypting FileVault 2 - with a password, without a Mac

10. Partitioning Schemes: APM, MBR and GPT

11. Apple File Systems: HFS+, HFSX and APFS

12. HFS+ in detail from forensic perspective:
a) File timestamps
b) Special files
c) Data and resource forks
d) Symbolic and Hard Links
e) File System Events

13. APFS core functionality and parsing

14. iOS based devices: Challenges and limitations associated with data extraction and examination

15. Examination of a MacOS system
a) System information and configuration
b) User accounts
c) Log files
d) Network and device connections
e) User activity and thumbnails
f) Printing and Trash
g) Previous Versions
h) Spotlight
g) Applications including Messages, Facetime, Mail, iWorks, Photos
h) Safari

16. Time Machine: Functionality, data layout and recovery

Exams & Certification

Those delegates successfully passing the exam at the end of the course will be awarded the Certified Mac Forensics Specialist (CMFS) qualification.

Related Courses

Privacy Notice

In order to provide you with the service requested we will need to retain and use your contact information in accordance with our Privacy Notice. If you choose to provide us with this information you explicitly consent to us using the information as necessary to provide the requested service to you. If you do not agree please do not proceed to request the service from us.

Marketing Permissions

Would you like to receive our newsletter and other information on products and services which we think will be of interest to you by email. We will always treat your information with care and in accordance with our Privacy Notice. You are free to withdraw this permission at any time.


We work with the best