I grew up in a household of Macs; my earliest memory of a Mac is watching After Dark 2.0 Flying Toasters and Fish! floating across a CRT monitor. In school, games such as Kid Pix, Oregon Trail, Mario Teaches Typing were part of our computer lab curriculum. At home, I would solve puzzles throughout Ages in MYST. In 1996, Dad gifted me my very own Mac, a Power Computing PowerBase 180 (probably running System 7.6). I can live through some of that nostalgia with Infinite Mac!

I was a Mac user throughout college and several years after despite a workforce dominated by Windows. After being encouraged to explore and upskill, I gradually transitioned all computing tasks to Linux distributions and Windows operating systems; eventually ignoring the Mac platform as a personal machine between 2017 and 2023.

While I did complete Magnet Forensics’ AX350 in 2020 and earned their MCME designation in 2022, it was primarily done in haste. However, I reintroduced the Mac back into my life when I justified a new Mac mini to independently test a hypothesis that I could get a full file extraction from a supervised, pair-locked iOS device. I was also hedging on an opportunity to take SANS FOR518 or Sumuri’s MFSC series.

Despite being employed in an environment running only a handful of Mac computers, there was sufficient justification to seek additional training to collect, examine, analyze and report on those machines.

As a long-time fan of the flexibility SANS’ OnDemand curriculum provides, I enrolled in FOR518 presented by Sarah Edwards.

FOR518 Expectations

I yet to have an investigation involving a Mac. Previous training on analyzing Macs was limited to Magnet Forensics’ course, which provided a high-level overview of several Mac artifacts and conducting analysis using AXIOM. While my consumer experience with the Mac is dated, I am comfortable with property lists, SEGB files, and SQLite databases from previous training and experience. I had some familiarity of HFS+ through Scott Moulton’s data recovery class.

Areas of growth I identified included the APFS file system and extended attributes. Above all, I had a clear expectation that “imaging” a Mac is not straight-forward, especially with Apple silicon. I was not concerned about iOS.

Based on the syllabus and advertised topics, I expected to accomplish the following:

1. Understand the difference using a Windows and a Mac machine for analyzing a Mac
2. Draft acquisition strategies in a corporate environment
3. Perform pattern of life analysis unique to the Mac
4. Deep dive in data structures unique to the Mac

Summary of Thoughts on FOR518

After completing the class, and achieving a passing score on the GIME exam, I learned a lot more than I anticipated. Edwards’ module on Malware and Live Response alone provided me thorough context to develop a satisfactory data collection plan; either using an existing EDR product or hands-on keyboard. With a more thorough understanding of Mac artifacts and their context, I perceive my ability to convey potential data collection issues and investigative objectives also matured.

Here are a few highlights I took from the class:

• I benefited a lot from the bonus lab on parsing the contents of the APFS file system, as opposed to just reading diagrams from a book.
• Edwards gave several scenarios analyzing FSEvents, a database responsible for storing file system changes on a volume, using Edwards’ fork of Nicole Ibrahim’s tool, FSEventsParser, to parse it.
• I appreciated that several relevant system logs can be viewed using Mac native tools.
• Given the unique structure of Apple systems, the section on Disks and Volumes, was helpful to me.
• I have a new appreciation for extended attributes and gained knowledge on how to analyze them natively.
• The entire section on incident response analysis gave me inspiration to adapt/adopt existing triage tools and consider next-level analysis opportunities.
  • https://www.crowdstrike.com/en-us/blog/automating-mac-forensic-triage/
  • https://github.com/jamf/aftermath
  • https://www.volexity.com/
• The CTF style challenge at the end was a welcomed shift from the typical SANS capstone. I opted to start the challenge after the GIAC exam, so now I have 120 days of gamified practice/exploration without the weight of a test on my shoulders. Just be sure to save the event code before your access to the SANS lab resources page expires.

Nearly everything iOS related was review for me after completing FOR585. However, access to Corellium was an awesome opportunity to get exposure to a platform I likely would not have otherwise.

While Christian Peter and Andrea Lazzarotto‘s tools are relatively new, I hope their respective tools, UFADE and FUJI, will make an appearance in Edwards’ next class update — assuming she hasn’t already.

Generic GIAC Test Preparation Tips

As noted previously (FOR509 and FOR585), here are a handful of tips when preparing for this GIAC exam. With a solid process, consistent and favorable outcomes can be achieved.

1. After your first read through of the material, review the certification objectives. This is helpful for me to categorize the information I just read (and will read again) respective to those objectives.
2. Understand the exam format, including the minimum passing score. As of 2024-11-12, the minimum passing score for GIME is 67%. If you just want to pass, this may alleviate test anxiety.
3. Do the labs at least once. I found the bonus lab and exercises interesting.
4. Read through the material again. Create an index.
5. To save desk space during the test, I re-created the Mac and iOS Forensic Analysis Poster as worksheets.
6. Practice Exam #1: I enable the option to show answers and explanations only for incorrect submissions. My goal is to seek holes in my knowledge and index. I use a digital version of the index and supplemental material for easy searching if I struggle to find a keyword. I try to take the first practice exam 10-15 days before exam day. Reflect on the feedback report.
7. I’ll skim through the books and spot-check if it is available in the index.
8. Practice Exam #2: I’ll print out what I believe is a solid index in color, including any supplemental material I created. I simulate the test environment by disabling the option to show answers and explanations for any submission. If I find more holes in my index, I’ll write them in. I try to take the second practice exam 2 days before the exam. I don’t do anything exam related the day before the exam.
9. On the day of, before the exam, I’ll get in a brisk cardio session. I usually grab a coffee, but I skipped it this time.

Creating the Index

Based on Lesley Carhart’s method, I letter each book on the front and bottom-right corner, and highlight the front cover’s edge; front and back. During the test, the highlighted edges help me return the book with the cover facing up, then placed back in the pile in order. This approach keeps me organized during the test and avoids excess shuffling.

Using the FOR518 SANS poster, I broke it down into manageable 8.5×11″ pages as worksheets, then I tabbed each page based on the poster section. For FOR500 and FOR508, I was able to graphically take sections and break them down that way.

For the tabs, I use the variety from Post-it because they’re durable. The four links below are Amazon affiliate links. This means that, at zero cost to you, I may earn an affiliate commission if you click through the link and finalize a purchase:
– Bottom tabs
– Edge tabs
– Top tabs
– Staedtler pens for writing on the tabs.

Relevant Links

https://eclecticlight.co/
https://www.mac4n6.com/
https://derflounder.wordpress.com/
https://www.osdfcon.org/presentations/2017/Ibrahim-Understanding-MacOS-File-Ststem-Events-with-FSEvents-Parser.pdf

Feature image generated with WordPress’ Jetpack AI Assistant. Prompt: “A classic Apple macintosh computer with a bitmap image of a magnifying glass and binary displayed in the monitor. cheerful. fun. nostalgic. system 7.”