AX350 Axiom macOS Examinations
AX350 is an expert-level four-day training course, designed for participants who understand digital forensics fundamentals, basic Axiom usage, and are seeking to expand their forensic investigative skills targeting Mac computers. You can purchase training classes directly online using a credit card or if payment by purchase order is required, please request a quotation from sales@magnetforensics.com.
Description
AX350 is an expert-level four-day training course, designed for participants who understand digital forensics fundamentals, basic Axiom usage, and are seeking to expand their forensic investigative skills targeting Mac computers.
Students will investigate a scenario involving network and computer intrusions, data theft, and distribution of stolen data, including possible attempts to market the stolen data via the dark web. The four-day course will take the student from receipt of initial information to the on-scene response, ending with the laboratory phase of artifact analysis and reporting.
Topics covered include live box triage and acquisition, dead box preview and acquisition, encryption remediation, case processing and examination, and both forensic and investigative analysis.
Course prerequisites
Because AX350 is an expert-level course, it is strongly recommended that students first complete Magnet Axiom Examinations (AX200). AX200 will provide a thorough understanding of Axiom that will help students focus on the Macintosh based forensic artifacts and investigations in AX350. Click Here to find out more about AX200
Course modules
Module 1: Course introduction and Magnet Axiom installation
An introduction as to what to expect throughout the course for students as well as an overview of Axiom, its system requirements, and installation information.
Module 2: Course scenario and macOS overview
Dual focus areas in this module include a detailed training scenario that will set the stage for the course and provide investigative guidance for the duration of the training week and an overview of Mac computing to level-set students regardless of their experience with Apple products. Learn about the macOS operating system and APFS file system, including boot considerations, Mac desktop orientation, APFS internals, property lists, Unix paths, Mac search and indexing, Apple virtual assistant, and backups.
Module 3: Mac first responder
Discuss activities and decisions that are part of initial investigation involving Mac computers, including addressing non-removable media, T2 chips, physical connectivity to a target Mac, user-level access, RAM acquisition, encryption awareness, live box triage, and dead box preview.
Module 4: Mac acquisition and processing
Discuss tools, methods, and options for forensically acquiring Mac digital evidence including internal and external data storage devices, methods for defeating encryption, recovering passwords and recovery keys, and processing Mac evidence with Axiom.
Module 5: System analysis of macOS/APFS
Mac system analysis includes the physical, logical, file system, and application layers of the digital storage device model. Focus areas include the macOS operating system, rebuilt desktop, network interfaces and hosts, USB connections and devices, mobile device backups, system logs, and more.
Module 6: User accounts
Areas of focus related to user accounts include both local user accounts and internet accounts. Local accounts that are active on the system, those accounts with administrator-level rights, permissions, and privileges, and deleted accounts are all explored. Apple cloud accounts, mobile device owner accounts, as well as account passwords and tokens are also included.
Module 7: Intrusion and unauthorized access
Digital forensics is increasingly about incident response. This module will cover artifacts pertaining to threat actors and their methods of obtaining unauthorized access to computers and networks, however the techniques used are equally applicable to most other digital forensic examinations. Artifact areas include the Safari web browser, media files, documents, and others that may be useful to establish the computer investigated was used in an intrusion event. Tools and methods commonly used to gain and exploit access are covered, including Metasploit, Zenmap/nmap, secure shell, and file transfer protocol. Students will use a method of timeline analysis to help the evidence tell the story it wants to tell.
Module 8: File analysis and corroboration
File analysis is used to investigate stolen files, data, and other intellectual property as well as corroboration of any preliminary investigation that was done prior to the forensic examination stage including information received from confidential sources and other witnesses. Areas of focus include cloud file storage and sharing, printer artifacts, local file access artifacts, instant messaging, email, and local encrypted archives.
Module 9: Backups and removable devices
Mac backups are often found on removable devices and working evidence found on removable devices associated with a Mac computer potentially present the investigative team with new or corroborative evidence. Areas of focus include extended attributes, Mac antimalware and protection systems, and leveraging media analysis in Axiom.
Module 10: Investigative conclusions and final reports
This module is a compendium of small investigators notes that are scattered throughout the training material calling out new investigative facts as they are learned. Gathered in one module, the investigators notes present a form of narrative that details the investigation from beginning to end. Students can also generate a final Axiom report they can take with them for future review. The content of this module, together with a comprehensive Axiom case report, can help students recall the lessons learned during class to use as a guide during real world investigations. Because investigators notes tie directly back to the relevant training modules, students who successfully complete this course can conduct future investigations with more confidence through reinforcement and do not have to simply rely on their ability to memorize what was discussed in class.
Additional information
Who should attend: Participants who are unfamiliar with the principles of digital forensics
Advanced preparation: None
Program level: Advanced-level
Field of study: Computer software & applications
Delivery Method: Group internet based & group live
Refunds and Cancellations: Training Course(s) can be rescheduled to a later date or cancelled by either Magnet Forensics or you without charge or penalty if written notice is received twenty-one (21) days or more prior to the date of the Training Course. No rescheduling shall be permitted on less than twenty-one (21) days written notice, which shall constitute a cancellation without a refund. Your written rescheduling or cancellation notice must be emailed to training@magnetforensics.com or contact 202.984.3417. If Magnet Forensics cancels a Training Course due to insufficient attendance, you will have the option to register in a different scheduled Training Course or receive a full refund. Please do not book travel until you have confirmed that the Training Course will be running.
Magnet Forensics is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website:www.nasbaregistry.org.