AX350 Axiom macOS Examinations

AX350 is an expert-level four-day training course, designed for participants who understand digital forensics fundamentals, basic Axiom usage, and are seeking to expand their forensic investigative skills targeting Mac computers.

Students will investigate a scenario involving network and computer intrusions, data theft, and distribution of stolen data, including possible attempts to market the stolen data via the dark web. The four-day course will take the student from receipt of initial information to the on-scene response, ending with the laboratory phase of artifact analysis and reporting.

Topics covered include live box triage and acquisition, dead box preview and acquisition, encryption remediation, case processing and examination, and both forensic and investigative analysis.

Course Modules

Module 1: Course introduction and Magnet Axiom installation

An introduction as to what to expect throughout the course for students as well as an overview of Axiom, its system requirements, and installation information.

Module 2: Course scenario and macOS overview

Dual focus areas in this module include a detailed training scenario that will set the stage for the course and provide investigative guidance for the duration of the training week and an overview of Mac computing to level-set students regardless of their experience with Apple products. Learn about the macOS operating system and APFS file system, including boot considerations, Mac desktop orientation, APFS internals, property lists, Unix paths, Mac search and indexing, Apple virtual assistant, and backups.

Module 3: Mac first responder

Discuss activities and decisions that are part of initial investigation involving Mac computers, including addressing non-removable media, T2 chips, physical connectivity to a target Mac, user-level access, RAM acquisition, encryption awareness, live box triage, and dead box preview.

Module 4: Mac acquisition and processing

Discuss tools, methods, and options for forensically acquiring Mac digital evidence including internal and external data storage devices, methods for defeating encryption, recovering passwords and recovery keys, and processing Mac evidence with Axiom.

Module 5: System analysis of macOS/APFS

Mac system analysis includes the physical, logical, file system, and application layers of the digital storage device model. Focus areas include the macOS operating system, rebuilt desktop, network interfaces and hosts, USB connections and devices, mobile device backups, system logs, and more.

Module 6: User accounts

Areas of focus related to user accounts include both local user accounts and internet accounts. Local accounts that are active on the system, those accounts with administrator-level rights, permissions, and privileges, and deleted accounts are all explored. Apple cloud accounts, mobile device owner accounts, as well as account passwords and tokens are also included.

Module 7: Intrusion and unauthorised access

Digital forensics is increasingly about incident response. This module will cover artifacts pertaining to threat actors and their methods of obtaining unauthorized access to computers and networks, however the techniques used are equally applicable to most other digital forensic examinations. Artifact areas include the Safari web browser, media files, documents, and others that may be useful to establish the computer investigated was used in an intrusion event. Tools and methods commonly used to gain and exploit access are covered, including Metasploit, Zenmap/nmap, secure shell, and file transfer protocol. Students will use a method of timeline analysis to help the evidence tell the story it wants to tell.

Module 8: File analysis and corroboration

File analysis is used to investigate stolen files, data, and other intellectual property as well as corroboration of any preliminary investigation that was done prior to the forensic examination stage including information received from confidential sources and other witnesses. Areas of focus include cloud file storage and sharing, printer artifacts, local file access artifacts, instant messaging, email, and local encrypted archives.

Module 9: Backups and removable devices

Mac backups are often found on removable devices and working evidence found on removable devices associated with a Mac computer potentially present the investigative team with new or corroborative evidence. Areas of focus include extended attributes, Mac antimalware and protection systems, and leveraging media analysis in Axiom.

Module 10: Investigative conclusions and final reports

This module is a compendium of small investigators notes that are scattered throughout the training material calling out new investigative facts as they are learned. Gathered in one module, the investigators notes present a form of narrative that details the investigation from beginning to end. Students can also generate a final Axiom report they can take with them for future review. The content of this module, together with a comprehensive Axiom case report, can help students recall the lessons learned during class to use as a guide during real world investigations. Because investigators notes tie directly back to the relevant training modules, students who successfully complete this course can conduct future investigations with more confidence through reinforcement and do not have to simply rely on their ability to memorize what was discussed in class.

‍