Login
13Cubed/Investigating macOS Endpoints
Buy now

  • $895

Investigating macOS Endpoints

  • Course
  • 49 Lessons
  • 365-day access

Starting with fundamental principles, Investigating macOS Endpoints advances to encompass log analysis, file systems, forensic artifacts, persistence mechanisms, evidence collection, and more! This course offers extensive hands-on practice and a capstone involving the analysis of a compromised system. Tailored for both beginners and seasoned professionals, it serves as an ideal resource for mastering macOS forensics!
Buy now

Frequently Asked Questions

How long is this course?

Approximately 10 hours for the video and written content. The total time required to complete all modules/lessons and perform image analysis is estimated at 20-40 hours.

How long will I have access once I purchase the course?

365-day access is included for all courses. Enjoy a 25% discount if you re-enroll after your initial access period.

🏅 Is there a certification associated with this course?

Yes! You can earn a certification by passing the Knowledge Assessment included with every course purchase. See training.13cubed.com/certifications for details.

Are there any prerequisites?

Just a basic understanding of macOS, and a willingness to learn!

Will new content be added?

Yes! The content will be updated to reflect any significant changes to the topics covered in this course to ensure it remains relevant over time.

Can I suggest new topics for potential inclusion in future modules/lessons?

Yes! Contact us at info@13cubed.com.

Can I obtain a certificate of completion at the end of the course?

Yes! Upon completion of the course, you will automatically receive an email with a link to download your personalized certificate.

🛒 Are bulk purchase discounts available for companies?

Yes! See training.13cubed.com/bulk-purchases for details.

Course Contents

Welcome and Introduction

Welcome and Introduction

Initial Setup

Initial Setup

Introduction to macOS

History
Root Directory Structure
File and Directory Permissions
Users and Groups
Shells and Command History
System Integrity Protection (SIP)
Transparency, Consent, and Control (TCC)
XProtect
FileVault

macOS Logs

Overview of the Unified Logging System
Unified Logs – System and Kernel Events
Unified Logs – Authentication and Security
Unified Logs – Advanced Authentication and Security
Unified Logs – Firewalls and Proxies
Unified Logs – Wi-Fi and Network
Unified Logs – Bluetooth
Unified Logs – Gatekeeper, TCC, and XProtect
Unified Logs – Crash Reporting
Legacy Logs
Application-specific Logs
Additional Topics and Tools

macOS File Systems

HFS+
APFS
exFAT

macOS Core Forensic Artifacts

Introduction
.DS_Store
Trash
File System Events (FSEvents)
knowledgeC.db
Biome
mac_apt + Additional Artifacts

Persistence Mechanisms

Launch Daemons and Launch Agents
Privileged Helper Tools
Cron Jobs
Login Items
System Extensions
SSH Keys

Evidence Collection

Unified Logs
Fuji
Unix-like Artifacts Collector (UAC)
Acquiring Memory

Timelining

UAC + mactime
Plaso/Log2Timeline

Analyzing a Compromised System

The Scenario
Getting Started
Incident Postmortem

Knowledge Assessment

Knowledge Assessment