This course will give students an introduction into the exciting world of MacOS anti-forensics and its tools. For a computer forensics professional, MacOS anti-forensics is important to know, because criminals will use anti-forensics to hide or alter forensic evidence on a Windows computer, but also on a MacOS. Unfortunately, MacOS anti-forensics is not well documented.
Besides that, it is interesting because you, as a computer forensics professional, will learn techniques used by criminals to make your work complex. This will broaden your knowledge about how a criminal thinks and operates, which will help you in your forensic investigation.
18 hours (18 CPE points)
There are already anti-forensics courses available on this platform, but they focus on segments of anti-forensics, like multimedia and documents, but do not have a focus on MacOS anti-forensics. This course fills that gap and will also teach you the basics of working with anti-forensics tools for the MacOS.
The MacOS is gaining more popularity. More people are using the MacOS, including criminals. This increases the chance of having to investigate a MacOS as criminal evidence. Criminals know this, and they will undertake measures to prevent forensic investigators from obtaining this evidence for use in court.
You will learn how to apply and detect MacOS anti-forensics techniques and also learn to think as someone who wants to alter forensic evidence on a MacOS.
- In the introduction, MacOS anti-forensics and a brief history of anti-forensics and the MacOS will be explained.
- In the first module, the subcategories of anti-forensics will be explained as a starting point for discussing MacOS anti-forensics.
- The second will involve the tooling used in MacOS anti-forensics, categorized by anti-forensics subcategory.
- The third module will be about the differences of anti-forensics for the MacOS in comparison to other operating systems and hardware.
By using specific tooling, you will learn to apply anti-forensics, but also detect anti-forensics used to hide/alter forensic evidence. This will help you choose the most suited tool in their computer forensics work to detect MacOS anti-forensics techniques.
- With the knowledge you gain in this course, you will have an understanding of MacOS anti-forensics, the parts it consists of, use cases and the arms race between criminal and forensics investigators
- When you have learned the skills, you will be capable of using and detecting anti-forensics techniques on digital evidence found on a MacOS
- Given the tools described in this course, you will be able to use and detect anti-forensics techniques on digital evidence found on a MacOS
- All this will give you a much needed skill in computer forensics: how to deal with anti-forensics on a MacOS
Examples of tools used in this course:
- data hiding: CyberChef,
- steganography: iSteg, silenteye
- trail obfuscation: TUNNELBLICK, VPN
- attacks against the CF : USBKill
You should be familiar with:
- computer forensic investigation concepts: imaging, hashing
- working on a MacOS: finding files
- computer data, image and video files (where to find logs on MacOS, different image files, etc.)
- installing computer-based software from a website
- Basic programming skills (desired but not essential)
To participate in the course you'll need:
- A macBook Pro with min. MacOS 10.11.6 (El Capitan); 2,7 GHz Intel Core i5; 8 GB 1867 MHz DDR3
- Good internet connection to download tools on the fly
About your instructor: Cordny Nederkoorn:
Cordny Nederkoorn is a software tester, IT marketeer and data analyst with over 10 years of experience in finance, digital forensics and web development.
He is also the founder of TestingSaaS, a softwaretesting & IT marketing agency for researching cloud applications with a focus on SaaS, digital forensics, data science, software testing and security.
What is MacOS anti-forensics?
To work with anti-forensics, you first have to know what it is, especially for the MacOS. You can learn to use the tooling, but if you do not know the theory behind it, you will make mistakes: a fool with a tool is still a fool. It is an interesting topic, because you will see why different tooling was made to apply anti-forensics by criminals to destroy or hide computer forensic evidence. Knowing this, you can apply this in your forensic investigation for detecting anti-forensics.
What is anti-forensics? What is its purpose? What are its goals? Can anti-forensics be divided in different parts? Which parts? Who are experts in anti-forensics: examples of criminals and forensic investigators regarding the MacOS? Case studies on MacOS anti-forensics.
- You will start to think like a criminal doing anti-forensics or think like a forensic investigator spotting anti-forensics on a MacOS.
From a case study: Questions about MacOS anti-forensics, what’s the technique, etc?
- These questions will be open and multiple-choice.
- Students will have to show they have an understanding about MacOS anti-forensics and answer questions about the material discussed in the module.
Anti-forensics in detail
This module will discuss the several subcategories of anti-forensics and their similarities and differences. This will give the student a deeper understanding of anti-forensics as a foundation for the tooling module in Module 2.
- the subcategories of anti-forensics
- the similarities between the subcategories
- the differences between the subcategories
- tooling used per subcategory
- You will develop a critical mindset when applying the different subcategories of anti-forensics
- You will recognize different kinds of anti-forensic techniques
- You will be able to choose appropriate tools for detection of various anti-forensic techniques
Based on a case study - questions about subcategories in anti-forensics:
- What subcategories are there?
- Can you give me a similarity between two subcategories?
- Can you give me the difference(s) between two subcategories?
- Can tool A be used with subcategory 1?
- What tool can be used when you want to do anti-forensics from subcategory A?
These questions will be multiple-choice.
Students will have to show they know the differences between the types of anti-forensics and know when what tooling is needed.
Module 2 will discuss MacOS anti-forensics tools. For every subcategory, a small tutorial of a tool will be given, with an emphasis on open source tooling.
Knowledge: Basic knowledge of tooling used in MacOS anti-forensics
Skills: by giving a small tutorial per tool from a anti-forensics subcategory, the student will get a basic understanding of the functionality of the tool.
- With the knowledge you learn in this module you will have an understanding of the macOS anti-forensics tools discussed, where and when they are used.
- When you have learned the skills you will be capable of using MacOS anti-forensics tooling on digital evidence
- Given the tools described in this course, you will be able to use and detect anti-forensics techniques on digital evidence
- The exercises in Module 2 will test the skills a student must have to use the basic functionality of the tool. This will be done with a selected MacOS anti-forensics tool from each of the 4 anti-forensics subcategories.
- Next to these skill-questions, questions will be asked about basic knowledge of the addressed tools.
These questions will be open and multiple-choice.
Students will have to show they can do basic anti-forensics techniques with these tools.
MacOS Anti-Forensics in the daily work of an investigator
Part 1: There is an arms race going on between anti-forensics practitioners (mostly criminals) and the computer forensics industry and academia. As with computer hacking, this will be an ongoing process. New IT innovations will be invented, which need new forensics techniques, leading to anti-forensics techniques to alter the forensics evidence.
- This module will show where forensics and anti-forensics is evolving for the MacOS. Will there be more advanced MacOS anti-forensics tooling?
- Next to this we will discuss the differences between MacOS anti-forensics and other anti-forensics. Operating systems like MacOS and Windows are different operating systems to cope with during forensic analysis. This is also the case for anti-forensics.
Part 2: Final exam as described below
Knowledge: Description of arms race between computer and anti-forensics; description of new forensics techniques that have to be countered by anti-forensics techniques; MacOS anti-forensics in comparison to other anti-forensics
Skills: examples of the arms race to show the student it is an arms race; working with forensics examples to show the effectiveness of anti-forensics in the daily work of a forensic investigator. Examples of forensic investigations detecting MacOS anti-forensics techniques
- Describe the arms race between forensics investigators and anti-forensics.
- Can you give an example?
- From a description of a forensic investigation detecting an anti-forensics operation, what subcategory of anti-forensics was used?
- From a description of a new IT innovation regarding the MacOS where computer forensics can be applied, can the student think of a possible anti-forensics technique altering the forensic evidence and why?
These questions will be open and multiple-choice.
Students will have to show they understand the arms race and show insight in using anti-forensics with new IT innovations for the MacOS.
Final exam (Part of Module 3)
- Questions include basic knowledge of anti-forensics (definition, subcategories, theory behind techniques)
- Questions about theory behind MacOS anti-forensics tooling
- Practical exercises MacOS Anti-forensics tooling
- Questions about arms race
- Questions about MacOS anti-forensics in comparison to other anti-forensics
These questions will be open and multiple-choice.
Student will have to show they master the material as discussed in this course and master basic MacOS antiforensic techniques with the tools discussed.
- The course is self-paced – you can visit the training whenever you want and your content will be there.
- Once you’re in, you keep access forever, even when you finish the course.
- There are no deadlines, except for the ones you set for yourself.
- We designed the course so that a diligent student will need about 18 hours of work to complete the training.
- The course contains video and text materials, accompanied by practical labs and exercises.
Questions? Contact our course coordinator Marta at [email protected]