Macintosh, iPod forensic courses available

Apple StorePhoenix Data Group is offering training in the recovery of digital evidence from Macintosh computers.

The training will allow an examiner to walk away with the skills necessary to properly seize, acquire, analyze and document an examination of an Intel-based Macintosh computer in a forensically sound manner. PDG instructors are IACIS Certified Forensic Computer Examiners and have real world experience in both law enforcement and corporate environments. Additionally instruction is provided on the forensic seizure and examination of Apple iPod devices.

Two classes are currently scheduled: Fredericksburg, VA (August 13-17th) and Santa Ana, CA (September 24-28th).

Pricing is $1595.00 for law enforcement/government and $1895.00 for corporate trainees.

More info:


  1. Thankfully, there’s such a thing as encrypted disk images. An encrypted image stored three or four layers into a series of encrypted images should keep any examiner busy long enough for the statute of limitations to run out. ” width=”19″ height=”19″ alt=”wink” style=”border:0;” />

  2. If you don’t already know…

    …there is software that inspects every file on the hard drive(s), including system files in Mac OS X, that if it’s a image it will dislay it, much to some people’s dismay.

    For some reason Mac OS X stores images of DVD’s and other things one has viewed, even if they have cleared the caches using Onyx (etc).

    Why does Mac OS X store this mini-images, especially of DVD’s (even ripped) and other thumbnails images in a permanent fashion even after the orginal image is destroyed/caches cleared, is unknown at this time.

    I don’t remember the name of this software that I used, “graph” something I beleive, but it reveled ripped DVD images that I long ago erased the orginals, plus other web images.

    Quite disturbing to say the least.

    Anyway, the first thing a FE is going to do is rip your hard drive out and read the platters directly with a device that reads the 1’s and 0’s directly making up the images or files. So filevault and encrypted disk images are needed.

    Next of course once the encrypted files are seen they will hook the hard drive to a Mac and attempt to gain admin access through a OS disk. So now you need a firmware password, so that the password is kept in the ROM of the mac computer, not in the hard drive and they can’t C boot from a OS disk to reset the admin password.

    Of course then they could flash the firmware with a special version given to them by Apple that will allow C booting from a OS install disk.

    Then of course there is EFI, which is run by the folks of UEFI which are not Apple and can do what they please.

    EFI is very dangerous high functioning firmware level that can even contact the internet and download, run code, access hard drives etc. all by itself, without a OS needed.

  3. If you’re not using Secure VM, your passwords can most probably be recovered from the virtual memory swap files, which makes File Vault pointless.

    If Secure Sleep is enabled (hibernation), the sleepimage file will also often have your password in clear text.

    This is most probably the primary attack vector they’re teaching.

    So in order to have your legal(!!!) confidential information secure:

    – Disable Safe Sleep, which unfortunately requires a command-line sequence:

    sudo pmset -a hibernatemode 0
    (sudo requires your password for authorization.)

    Sleep will henceforth be immediate without the longish write-out which had been normal before, but you’ll have to shut down in order to swap batteries on a MacBook.

    The modes are as follows:
    mode 0: suspend to RAM
    mode 1: suspend to disk (power off)
    mode 3: suspend to disk + RAM
    mode 5: (secure VM) suspend to disk (power off)
    mode 7: (secure VM) suspend to disk + RAM

    Then delete the hibernation sleep image securely:

    sudo srm /var/vm/sleepimage

    – Enable “Secure VM” in the Security control panel.

    You should be significantly more secure after that.

    Be careful and do the above only if you think you halfway know what you’re doing!

  4. There’s a Mac forensics site on the web. It takes itself very seriously, but it’s like a Mac anti-virus application — it’s loaded with Windows crap.

    I really hope this thing gets some sort of meaningful coverage, because I suspect it’s little more than a Florida swamp-land real-estate push or an expense-account gravy train.

    A “computer-forensics” character in an old Law and Order episode couldn’t get anything off a tower, shown in the background. It was a G3. Hey, it’s a TV show. But it’s freakin’ Law and Order!

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.