Cellebrite Apple Forensic Fundamentals (CAFF)

4 days
Entry-level course

Course Description

Cellebrite Apple Forensic Fundamentals (CAFF) is a four (4)-day, course designed with hands-on learning and real case scenario data using Cellebrite Digital Collector and Inspector software. Participants will learn how to perform both triage and analysis of specific data points that exist within operating system and file system artifacts.  Participants will analyze mounted volume evidence, device connection evidence, and network connections in macOS. The macOS and iOS operating systems, HFS+ and APFS file systems and significant application data are explored throughout the class.

sidebar image 
Functions of the EFI
  • Recognize Apple computer start-up functions
  • Explain the purpose of disk sharing modes
  • Recognize a Mac computer in safe sleep mode
sidebar image 
Triage and Imaging
  • Recognize the macOS live environment
  • Demonstrate using Cellebrite Digital Collector
  • Review and identify the various
  • Apple computer disk configurations
  • Explain how the various forms of encryption affects disk imaging and data acquisition
sidebar image
System Overview
  • Recognize Apple computer structures
  • Describe how the structure of macOS affects analysis
  • Describe the value and purpose of FileIDs and Catalog Node IDs
  • Explain how macOS handles PLIST files
  • Analyze data contained with PLIST files on macOS
  • Use SQLite queries to enhance your forensic analysis
sidebar image
Time Zone Analysis
  • Identify services using location services in macOS
  • Locate time zone settings in macOS
  • Analyze date and time preferences
sidebar image
Disk Images
  • Define how Apple Disk Images are used
  • Demonstrate how to make Apple Disk Images
  • Differentiate between the types of Apple Disk Images
  • Discover methods to mount troublesome disk images
sidebar image
  • Identify web browser data in macOS
  • Describe the purpose of containers in macOS
  • Interpret data found within Safari web history
  • Discover extended attributes found in files downloaded on a macOS computer
  • Analyze internet artifacts from Safari, Firefox and Chrome
sidebar image
Media Analysis
  • Describe the default locations of media files in macOS
  • Recognize how Photos application stores files in macOS
  • Examine data from Photos application
  • Describe the affects of iCloud on Photos application
  • Analyze extended attributes of media files in macOS
sidebar image
Device Connection Artifacts
  • Describe how volumes are mounted in macOS
  • Analyze macOS for evidence of mounted volumes
  • Convert date values of mounted devices
  • Examine unified logs to view device connections
  • Determine Bluetooth connected devices in macOS
  • Analyze network connections in macOS
  • Examine AirDrop artifacts in macOS
sidebar image
  • Describe iCloud as a service in macOS and iOS
  • Analyze iCloud account information and services in macOS
  • Recognize files shared through iCloud file sharing
  • Analyze iCloud data from Apple
sidebar image
iOS Analysis
  • Describe how iOS locks can affect analysis
  • Identify an iOS backup on a local computer
  • Differentiate between the iOS acquisition methods
  • Analyze crucial iOS device data to show how the device has been used
Last modified: Tuesday, February 7, 2023, 6:27 AM