Magnet AXIOM macOS Examinations

What You'll Learn

This course is an expert-level four-day training course, designed for participants who are somewhat familiar with the principles of digital forensics and who are seeking to expand their knowledge base on macOS and the forensic analysis of devices using the APFS file system and AXIOM.  Examiners will investigate a scenario dealing with a misconfigured webserver that allowed hackers to exploit  vulnerabilities and gain access to the network to perform nefarious activity and steal intellectual property and potentially customer data as well.

Introduction and Course Overview

  • This module will introduce the course to students as well as cover the scenario that will be followed over the four-day training.

macOS Overview

  • This module will walk through information on the macOS operating system and APFS file system. Including changes to the security of macOS devices including the T2 chips, SIP, and other security protocols being used by Apple. Students will also discuss proper handling techniques for macOS devices.
  • Several key operating system artifacts for macOS will be covered including Finder, File System Events, Sidebar items, Trash Items, Installed Applications, and more.

Starting our Examination

  • In this module students will discuss encryption issues such as FileVault2 and methods that can be taken to brute force this technology using Passware.

Log Files

  • This module will cover several macOS log files such as the unified logs, configuration files, file/folder permissions, daily logs, USB connection history, and other key logging artifacts to track user access of information.


  • Having access to precise and granular user and application usage can be extremely useful in a forensic investigation. The KnowledgeC database stores a wealth of information about the macOS usage as well as user activity. Several of the key things tracked in this database will be shown as well as open source tools to extract additional information behind the KnowledgeC.db. Some of the information gleaned from the KnowledgeC.db is:
    • Application Usage
    • Application Activities
    • Safari Browser History
    • Device Power Status

Internet Artifacts

  • Several browser history artifacts from Safari, Chrome, and Firefox will be examined to assist in the investigation and collection of evidence in furtherance of the investigation being carried out by the students.

User Accounts

  • Understanding the data specific to a user account can be key in an investigation. This module will cover Artifacts dealing with contacts, address books, saved apple accounts, keychain information, installed applications, and logon/logoff times.


  • The default mail application (Mail.App) stores both email and calendar data inside macOS. This module will discuss how to recover artifacts and attachments from these stored files.

Mac Desktop

  • The macOS Desktop stores several valuable artifacts around what a user has been accessing. This module will walk students through looking at the items stored in the mac Dock, the Menu Bar applications, recently used items, and the quick-look thumbnails and how they can be used in an investigation.

Time Machine and Snapshots

  • Time Machine is a built-in backup methodology for macOS.  In this module, students will cover the Time Machine and Snapshot functionalities of macOS and the APFS file system. This information will be valuable in trying to recover files that may no longer be active on the macOS system.

Cloud Services

  • MacOS users typically have an Apple ID and with it, free iCloud storage. This cloud storage can prove important in an investigation as well as other cloud sources of data such as OneDrive and Google Drive.  Understanding how macOS uses these services and wht databases control the flow of data between the cloud service and the host computer is imperative to solving these types of investigations. 

Cumulative Review

  • A final practical will walk students through practicing the techniques and analyzing the artifacts discussed throughout this course.

Try The Training Annual Pass (TAP)

TAP lets you pay once, but train continuously. For $5,995 USD (less than the cost of two courses), you can attend any class at any time throughout the following 12 months.

Upcoming Classes



Virtual Instructor-Led (CST)OnlineSept 8-11
Virtual Instructor-Led (CST)OnlineOct 6-9
Virtual Instructor-Led (CST)OnlineNov 3-6
Virtual Instructor-Led (CST) OnlineNov 17-20
Virtual Instructor-Led (GMT)OnlineDec 15-18

Frequently Asked Questions

What do I need to bring?

Computer needs will be determined by class, but otherwise, it’s a classroom like any other, so bring in something to take notes on, water, lunch, etc.

How many students are in a classroom?

It can vary wildly depending on location and topic. Check out our registration page to find out how many seats are available per class.

Can I get custom training for my organization?

Yes! Simply contact us and let us know the details of who would be receiving the training and what topic you would like addressed. We’ll follow up with more details.

What materials will I receive in the course?

You will receive an course manual which you can keep and refer to long after the course has been completed.

Are all courses available with TAP?

Yes. If you’ve purchased a TAP, you can take any course, any time, no matter if it’s in-person, online, or online self-paced.