Macintosh, iPod forensic courses available

Apple StorePhoenix Data Group is offering training in the recovery of digital evidence from Macintosh computers.

The training will allow an examiner to walk away with the skills necessary to properly seize, acquire, analyze and document an examination of an Intel-based Macintosh computer in a forensically sound manner. PDG instructors are IACIS Certified Forensic Computer Examiners and have real world experience in both law enforcement and corporate environments. Additionally instruction is provided on the forensic seizure and examination of Apple iPod devices.

Two classes are currently scheduled: Fredericksburg, VA (August 13-17th) and Santa Ana, CA (September 24-28th).

Pricing is $1595.00 for law enforcement/government and $1895.00 for corporate trainees.

More info:


  1. Thankfully, there’s such a thing as encrypted disk images. An encrypted image stored three or four layers into a series of encrypted images should keep any examiner busy long enough for the statute of limitations to run out. ” width=”19″ height=”19″ alt=”wink” style=”border:0;” />

  2. If you don’t already know…

    …there is software that inspects every file on the hard drive(s), including system files in Mac OS X, that if it’s a image it will dislay it, much to some people’s dismay.

    For some reason Mac OS X stores images of DVD’s and other things one has viewed, even if they have cleared the caches using Onyx (etc).

    Why does Mac OS X store this mini-images, especially of DVD’s (even ripped) and other thumbnails images in a permanent fashion even after the orginal image is destroyed/caches cleared, is unknown at this time.

    I don’t remember the name of this software that I used, “graph” something I beleive, but it reveled ripped DVD images that I long ago erased the orginals, plus other web images.

    Quite disturbing to say the least.

    Anyway, the first thing a FE is going to do is rip your hard drive out and read the platters directly with a device that reads the 1’s and 0’s directly making up the images or files. So filevault and encrypted disk images are needed.

    Next of course once the encrypted files are seen they will hook the hard drive to a Mac and attempt to gain admin access through a OS disk. So now you need a firmware password, so that the password is kept in the ROM of the mac computer, not in the hard drive and they can’t C boot from a OS disk to reset the admin password.

    Of course then they could flash the firmware with a special version given to them by Apple that will allow C booting from a OS install disk.

    Then of course there is EFI, which is run by the folks of UEFI which are not Apple and can do what they please.

    EFI is very dangerous high functioning firmware level that can even contact the internet and download, run code, access hard drives etc. all by itself, without a OS needed.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.