Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

New FOR518: Mac and iOS Forensic Analysis Poster Update

The latest updates to the Digital Forensics and Incident Response Poster bring a wealth of new sections and enhancements.

Authored byKathryn Hedley

The updated Digital Forensics and Incident Response Poster adds new sections and enhancements for macOS 15 and iOS 18 from Sarah Edwards' SANS FOR518 course research.

The latest updates to the Digital Forensics and Incident Response Poster bring a wealth of new sections and enhancements, including significant changes to artifacts in the latest versions of macOS and iOS. These updates are based on cutting-edge research conducted by Sarah Edwards during her work on the SANS FOR518: Mac and iOS Forensic Analysis and Incident Response course, covering macOS 15 and iOS 18.

Download the new update here.

So, what are some of the key updates? While there are too many to cover them all, here are a few highlights:

1 Biomes: A New Activity Tracking System

Biomes are gradually replacing the traditional KnowledgeC and InteractionC databases for tracking user activity. This new format uses protobuf-encoded data to track app usage times and transitions across devices.

  • Why It Matters: Tools that only parse the KnowledgeC and InteractionC databases might miss key information stored in Biome data, leading to incomplete analysis.

2 CarPlay Activity

This feature tracks device interactions with CarPlay-enabled vehicles, logging activities such as navigation, media playback, and calls.

  • Why It Matters: As connected car technology grows, CarPlay activity data helps investigators analyze in-vehicle activities for forensic purposes.

3 Spotlight Data for File Sharing Evidence

Spotlight indexes a system to help users search for files by indexing metadata, extended attributes, and even some file content. This can reveal what files a user has searched for and shared.

  • Why It Matters: Spotlight data allows investigators to trace user actions and file-sharing activities, making it easier to reconstruct events.

4 AirDrop Activity

AirDrop transfers are logged in Unified Logs, recording both accepted and declined transfers, along with file types and the devices involved.

  • Why It Matters: AirDrop activity is essential for tracking device-to-device file transfers, bypassing traditional cloud or email systems.

5 Contact Interactions

This section covers how devices log interactions between users through apps like Messages, Mail, and Phone, helping to track communication patterns.

  • Why It Matters: Investigators can examine relationships between users and their devices, offering insight into communication behaviors.

6 Application Permissions – Transparency, Consent, and Control (TCC)

The Transparency, Consent, and Control (TCC) database logs sensitive app permissions, such as access to location, contacts, and the microphone, along with timestamps of when permissions were granted.

  • Why It Matters: Tracking app permissions helps highlight apps that may have accessed sensitive data, revealing potential security or privacy concerns.

7 Files Quarantined by XProtect

This section explains how Apple’s XProtect antivirus system quarantines potentially harmful files, giving investigators access to information on flagged files and the reasons behind the quarantine.

  • Why It Matters: XProtect provides insights into potentially malicious files already identified on a system.

8 Health Data

This section details how health metrics like steps, heart rate, and other fitness data that might be available to an investigator and analyzed using forensic tools like APOLLO.

  • Why It Matters: Physical activity data can be vital in investigations involving movement or location tracking.

9 Bluetooth Devices

This updated section offers insights into Bluetooth interactions, including timestamps for device connections and nearby devices.

  • Why It Matters: Tracking Bluetooth activity can help trace interactions with wearable tech and other nearby devices, which may play a key role in investigations.

10 Apple File System (APFS) Snapshot Mounting

A new section on 10. Apple File System (APFS) snapshot mounting explains how to retrieve data from specific points in time, enhancing forensic capabilities when analyzing system changes or historical data.

  • Why It Matters: Snapshot mounting allows investigators to recover historical data, offering a snapshot of the file system at any given moment.

The updated Digital Forensics Poster equips investigators with cutting-edge knowledge and tools to navigate the ever-evolving Apple ecosystem. From CarPlay interactions to more granular tracking with Biomes and APFS snapshots, these updates provide deep insights into user activities and device interactions across macOS and iOS platforms. Staying current with these advancements is essential for maximizing the potential of forensic investigations on Apple devices.

Please note that to make room for these updates, we’ve removed some older information related to the HFS+ file system and earlier versions of macOS and iOS. If you expect to work with older systems, you may want to hold on to previous versions of the poster!

Equip yourself with the latest forensic insights for macOS and iOS investigations! Download the updated Digital Forensics and Incident Response Poster now and stay ahead with new tools and techniques to uncover vital evidence across Apple devices.

Meet the expert

Kathryn Hedley

Certified Instructor

Kathryn encourages her students to be inquisitive and learn how to make the first step in finding answers to the unknowns. Her main goal is to give students a tool-set to allow them to be productive in the office. “I love teaching students the areas we currently understand, and paving the way for them to go away, pick up those research pieces and dig deeper into the lesser known aspects of the OS and applications. I am not one to be constrained by the live demo curse and love to break out into tools to show how things work in real life. I have always learned much more by doing than watching, and this is very much my teaching style too.” she says.

Read more about Kathryn Hedley
New FOR518: Mac and iOS Forensic Analysis Poster Update | SANS Institute