Macintosh Intrusion Forensics
|
Thane Erickson, Anthony Kokocinski & J0hnny Long
|
What to bring:
General Macintosh Experience
Computer Forensic Experience
The student should have an understanding of most of the following concepts and technologies:
|
Overview
All it takes is one trip to the annual “capture the flag” contest at Defcon to realize that Apple’s hardware and Mac OS X operating system is a staple amongst the hacking community. Bad guys are using Macs as attack platforms, and attacking Mac servers. This course will give you hands-on experience using the Mac’s BSD-based operating system as an attack platform against Mac-based servers. After attacking with the Mac, the seasoned forensic instructors will teach you how to:
- properly seize and image each machine as well as an iPod Shuffle
- perform forensics analysis of both Mac clients and servers
- extract and crack Mac login passwords
- access FileVault-protected directories
- access Mac Keychain and stored passwords
- access encrypted disk images (dmg files)
- locate evidence and artifacts
- Extract common file types from disk and swap (like iChat logs, Office
Documents, zip files, etc)
- Unlock proprietary data formats (like Safari’s web cache, the NetInfo
database, iCal, Address Book, etc)
Mac haters and lifers welcome! Each attendee will receive a free iPod Shuffle upon successful completion of the course.
Key Learning Objectives
- Mac as an attack platform
- Imaging Macintosh Devices
- Forensic Analysis of a Macintosh Server
- Forensic Analysis of a Macintosh Client
General Learning Objectives
- Basic Incident Response
- Tool Setup and Configuration
- Imaging Evidence
- NetInfo Account Enumeration
- Textual Log Analysis
- Common File Analysis
- Internet Forensics
- Swap File Carving
- Password Cracking
- Filevault Decryption
- Keychain Access
Prerequisites
General Macintosh Experience
Computer Forensic Experience
The student should have an understanding of most of the following concepts and technologies:
- Command line operations
- Familiar with Panther GUI interface
- General Computer Forensic Analysis.
|
ISC2 CISSP/SCCP CPE Credits
Students are eligible to receive 16 Continuing Professional Education (CPE) credits upon completion of class. Black Hat will automatically forward your information to ISC2.
Cost: US $2100 on or before July 1, 2005 or US $2300 after July 1, 2005
All course materials, lunch and two coffee breaks will be provided. NOTE: this is a two day course. A Certificate of Completion will be offered.
CLOSED
|
Trainer:
|
Thane Erickson is currently working as an instructor with the Department of Defense’s Computer Investigations Training Program (DCITP). Mr. Erickson develops and teaches several computer forensic courses ranging from basic to advanced computer forensic topics. Mr. Erickson helps develop and teach the Macintosh Forensic Examinations (MFE) course. The MFE course is a combination of lecture, instructor led demonstrations, and hands-on practical exercises that introduce investigators and analysts to the fundamental concepts necessary to perform a Macintosh forensic examination. In his spare time, he is currently working on obtaining a Masters in Computer Science and Information Security at James Madison University.
Johnny Long is a “clean-living” family guy who just so happens to like hacking stuff. Over the past two years, Johnny’s most visible focus has been on this Google hacking “thing” which has served as yet another diversion to a serious (and bill-paying) job as a professional hacker and security researcher for Computer Sciences Corporation. In his spare time, Johnny enjoys making random pirate noises (“Yarrrrr!”), spending time with his wife and kids, convincing others that acting like a kid is part of his job as a parent, feigning artistic ability with programs like Bryce and Photoshop, pushing all the pretty shiny buttons on them new-fangled Mac computers, and making much-too-serious security types either look at him funny or start laughing uncontrollably. Johnny has written or contributed to several books, including “Google Hacking for Penetration Testers” from Syngress Publishing, which has secured rave reviews and has lots of pictures.
|
|