Examiners today are faced with supporting an ever-growing range of evidence and
investigation types. While dead-box Windows investigations dominated casework
in the early years of digital forensics, examiners must now also consider a
multitude of other devices and data sources, including smartphones, cloud apps
and services, and a growing Mac population in both the private and public
sectors—in many areas macOS endpoints are nearly as popular as Windows.
For examiners who don’t regularly work macOS investigations, it can be a challenging and frustrating experience—macOS forensics are in a constant state of flux, and examiners often encounter a steep learning curve when it’s time to analyze a Mac, with recent file system changes, Read-Only Volumes, and hardware-based encryption being a few of the notable obstacles examiners must overcome.
Join Trey Amick, Manager of Forensic Consultants at Magnet Forensics, as he compares the key artifacts utilized in the Windows and Mac operating systems to help you more confidently conduct Mac investigations, including:
- File System: $UsnJrnl vs. File System Events (FSEvents)
- User Accounts: Windows Registry vs. Mac user plist
- Applications Usage: SCRUM vs. Network Application Usage
- Windows UserAssist vs. Mac Recently Used Items
- External media investigations across both platforms