Cellebrite Apple Intermediate Forensics (CAIF)

3 days
Intermediate-level course
Course Description
Cellebrite Apple Forensic Fundamentals (CAIF) is a three (3)-day, course designed with hands-on learning and real case scenario data using Cellebrite Inspector software. Participants will analyze mounted volume evidence, device connection evidence, and network connections in macOS. A CAIF instructor will review log files found on macOS and iOS devices and how to analyze Apple Mail including its structure, mail messages, and related files. The advanced instruction includes a comprehensive exploration of the GUID Partition Table, Terminal, HFS+ and APFS file system, Time Machine Backups, Snapshots and understand the difference between link files, APFS clones, and APFS firmlinks.

Device Connection
- Examine unified logs to view device connections
- Determine Bluetooth connected devices in macOS
- Analyze network connections in macOS
- Examine AirDrop artifacts in macOS

Email Analysis
- Describe how Apple Mail stores mail data
- Identify email messages with attachments
- Describe the purpose of the Mail Downloads folder
- Analyze data in the Envelope Index file

Command Line Basics
- Practice entering commands in a Terminal session
- Analyze a computer image to find evidence of command line use
- Create a shell script to run in macOS

GUID Partition Table
- Describe the GUID Partition Table (GPT) structure
- Recognize the GUID Partition Table (GPT) on disk

HFS+
- Inspect the unique aspects of the proprietary Hierarchical File System (HFS+)