Magnet AXIOM macOS Examinations (AX350)

During the AXIOM macOS Examinations (AX350) training, participants learn how to examine devices that run on the macOS operating system.

For whom is this training intended?
This four-day training is designed for digital investigators who are familiar with the principles of digital forensics and who wish to expand their knowledge in the areas of macOS and device forensic analysis based on the APFS file system and AXIOM. We recommend that participants first complete the AXIOM Examinations (AX200) training before starting this training.

What do you learn during the training?

• The basics of the macOS operating system and the APFS file system including the changes in the security of macOS devices and what the main components of the macOS operating system are.
• What encryption challenges exist and how they can be investigated using Passware.
• What different macOS logs there are and what log artifacts can be found.
• What the KnowledgeC database and powerlog database mean that are stored on macOS.
• What internet artifacts there are.
• What specific details of a user account may be of interest to a forensic investigation.
• How to recover artifacts and attachments from the standard mail application Mail.App.
• What useful information can be found on a desktop. For example, which items are stored in the mac Dock, the application of the menu bar, recently used items and thumbnails.
• What the Time Machine and Snapshot features of MacOS and the APFS file system mean.
• How macOS cloud services are used and which databases control the data flows between the cloud services and the host computer.

This training is modular. Each module uses scenarios and hands-on exercises to reinforce the learning objectives.

Watch the video below for additional explanation of the Magnet AXIOM macOS Examinations (AX350) training: