Cellebrite Apple Forensic Fundamentals (CAFF) is a four (4)-day course designed with hands-on learning and real case scenario data using Cellebrite Digital Collector and Inspector software. Participants will learn how to perform both triage and analysis of specific data points that exist within operating system and file system artifacts. A CAFF instructor will guide attendees through the most important macOS and iOS digital artifacts. Participants will analyze mounted volume evidence, device connection evidence, and network connections in macOS. The macOS and iOS operating systems, HFS+ and APFS file systems, and significant application data are explored throughout the class.

Course Learning Objectives

Upon successful completion of this course, students will be able to:

• Distinguish between the startup procedures for the various types of Apple computers.
• Develop a plan of attack to successfully triage and image Apple computers.
• Describe macOS structures and the limitations that each present.
• Explain the importance of HFS+ and APFS file system artifacts.
• Explain how changes to APFS and the macOS structure can impact forensic analysis.
• Describe how macOS handles property-list (PLIST) data.
• Identify user preferences and system preferences Analyze how date/time and time zone data affects analysis.
• Recognize the different disk images found in macOS examinations.
• Examine how media files found are stored, viewed and shared on macOS and iOS.
• Analyze various Apple metadata attributes and how they can assist in forensic analysis.
• Analyze mounted volume evidence, device connection evidence, and network connections in macOS.
• Examine artifacts from web browsers such as Safari and articulate your findings.
• Interpret numerous log files found on macOS and iOS devices and articulate your findings.

DOWNLOAD COURSE OVERVIEW →

REGISTER NOW →