Resource Center

Webinars Webinars

Demystifying Mac Investigations: Mac vs. Windows Artifacts Comparison

Forensic Examiners today are faced with supporting an ever-growing range of evidence and investigation types. While dead-box Windows investigations dominated casework in the early years of digital forensics, examiners must now also consider a multitude of other devices and data sources, including smartphones, cloud apps and services, and a growing Mac population in both the private and public sectors—in many areas macOS endpoints are nearly as popular as Windows.

For examiners who don’t regularly work macOS investigations, it can be a challenging and frustrating experience—macOS forensics are in a constant state of flux, and examiners often encounter a steep learning curve when it’s time to analyze a Mac, with recent file system changes, Read-Only Volumes, and hardware-based encryption being a few of the notable obstacles examiners must overcome.

Join Trey Amick, Manager of Forensic Consultants at Magnet Forensics, as he compares the key artifacts utilized in the Windows and Mac operating systems to help you more confidently conduct Mac investigations, including:

  • File System: $UsnJrnl vs. File System Events (FSEvents)
  • User Accounts: Windows Registry vs. Mac user plist
  • Applications Usage: SCRUM vs. Network Application Usage
  • Windows UserAssist vs. Mac Recently Used Items
  • External media investigations across both platforms

Live Webinar:

Register for Webinar

Start modernizing your digital investigations today.

Ready to explore on your own? Start a Free Trial

:qa Top