Cellebrite Apple Intermediate Forensics (CAIF)

3 days
Intermediate-level course

Course Description

Cellebrite Apple Forensic Fundamentals (CAIF) is a three (3)-day, course designed with hands-on learning and real case scenario data using Cellebrite Inspector software. Participants will analyze mounted volume evidence, device connection evidence, and network connections in macOS. A CAIF instructor will review log files found on macOS and iOS devices and how to analyze Apple Mail including its structure, mail messages, and related files. The advanced instruction includes a comprehensive exploration of the GUID Partition Table, Terminal, HFS+ and APFS file system, Time Machine Backups, Snapshots and understand the difference between link files, APFS clones, and APFS firmlinks.

sidebar image 
Device Connection
  • Examine unified logs to view device connections
  • Determine Bluetooth connected devices in macOS
  • Analyze network connections in macOS
  • Examine AirDrop artifacts in macOS
sidebar image 
Email Analysis
  • Describe how Apple Mail stores mail data
  • Identify email messages with attachments
  • Describe the purpose of the Mail Downloads folder
  • Analyze data in the Envelope Index file
sidebar image
Command Line Basics
  • Practice entering commands in a Terminal session
  • Analyze a computer image to find evidence of command line use
  • Create a shell script to run in macOS
sidebar image
GUID Partition Table
  • Describe the GUID Partition Table (GPT) structure
  • Recognize the GUID Partition Table (GPT) on disk
sidebar image
  • Inspect the unique aspects of the proprietary Hierarchical File System (HFS+)
Last modified: Tuesday, January 18, 2022, 6:43 AM