With Apple products now accounting for over 15 per cent [i] of global operating systems across desktops, laptops, tablets and smartphones; Sarah Edwards believes that information security professionals need to update digital forensics skills to meet both a growing threat and rising demand for their expertise.
As author of the SANS course, FOR518: Mac Forensic Analysis, Edwards is a senior digital forensic analyst who has worked with various federal law enforcement agencies performing a variety of investigations including computer intrusions, criminal, counter-intelligence, counter-narcotic, and counter-terrorism.
“As Apple Mac systems become increasingly popular in the workplace they also become a greater target for attack,” says Edwards. She points to a study last year by security company Kaspersky Labs that tracked nearly 1500[ii] new malware programs targeting OS X during 2014, a 13 per cent increase on the previous year.
“It’s fair to say that Apple actually does a good job patching and updating its operating systems but Macs are not immune from malware and some of the new attacks we are seeing are the result of vulnerabilities based on Unix programs that are older than Macs themselves,” says Edwards.
The frequent updating of OS X and new features added in a release cycle that is typically twice as frequent as Microsoft Windows means that info-security people working on Apple systems need to refresh skills more often, she suggests. “The other issue is that a lot of the information for forensically examining Apple systems is simply not documented in public or developer forums and there are fewer tools to choose from,” she adds.
Edwards will be teaching an updated SANS FOR518: Mac Forensic Analysis course at the upcoming annual Digital Forensics and Incident Response (DFIR) Summit and Training event in Prague from October 5 to 10.
“The course is aimed at investigators with a working knowledge of forensics and is particularly pertinent for individuals coming over from a Windows background as many of the core skills are transferable while this course provides the tools and techniques necessary to take on any Mac case without hesitation.”
The six-day course teaches Mac fundamentals including how to analyse and parse the Hierarchical File System (HFS+) by hand and recognise the specific domains of the logical file system and Mac-specific file types. The course is offered in the context around Mac-specific technologies, including Time Machine, Spotlight, iCloud, Versions, FileVault, AirDrop, and FaceTime and includes advanced analysis and correlation to determine how a system has been used or compromised.
The course runs at SANS DFIR Prague and the week concludes with a summit with talks. Visit https://www.sans.org/event/dfir-prague-2015.
Citations
[i] http://gs.statcounter.com/#all-os-ww-monthly-201407-201507
[ii] http://www.macrumors.com/2014/12/09/os-x-malware-kaspersky/
