This hands-on course makes a departure from the world of Microsoft Windows and provides in-depth instruction on analyzing the various Macintosh operating system artifacts. The course’s topics will cover: 
  • Acquisition of internal storage in an Apple Macintosh and disk layout 
  • HFS+ volume structure including in-depth analysis of the Catalog and Extents Overflow files and low-level file recovery 
  • APFS container and volume structures, including data recovery using APFS checkpoints 
  • Fundamental Mac OS operations, Mac disk, and disk-image analysis and acquisition 
  • Mac OS system, user, application, and Internet artifacts 


The introduction of the iPod, iPhone, and iPad and the use of Intel-based processors have generated a steep increase in the sales of Macintosh computers, which are no longer restricted to the realm of desktop publishing and computer-aided design.
Computer users are attracted by the design of the Macintosh, its UNIX-like stability, ease-of-use, and its ability to run Microsoft® Windows. Most die-hard Windows users will refuse to return their Mac once they’ve started using it.

This course is intended for EnCase users working as law enforcement officers, corporate and private investigators, computer forensic examiners, and network security personnel. A basic understanding of the concepts of computer forensics is required. This class continues the tuition provided in the DF210-Building an Investigation course with a focus on conducting examinations of the Macintosh operating systems. 

Level: advanced
CPE Credits - 32
Prerequisites : DF210 - Building an Investigation with EnCase Forensic or EnCE Certification. Advance preparation for this course is not required