InfoSec teams need to refresh Apple forensics skills as cyber threats increase says expert
UK – 3rd September, 2015 – With Apple products now accounting for over 15%[i] of global operating systems across desktops, laptops, tablets and smartphones; Sarah Edwards believes that information security professionals need to update digital forensics skills to meet both a growing threat and rising demand for their expertise.
As author of the SANS course, FOR518: Mac Forensic Analysis, Edwards is a senior digital forensic analyst who has worked with various federal law enforcement agencies performing a variety of investigations including computer intrusions, criminal, counter-intelligence, counter-narcotic, and counter-terrorism.
“As Apple Mac systems become increasingly popular in the workplace they also become a greater target for attack,” says Edwards pointing to a study last year by security company Kaspersky Labs that tracked nearly 1500[ii] new malware programs targeting OS X during 2014, a 13% increase on the previous year.
“It’s fair to say that Apple actually does a good job patching and updating its operating systems but Macs are not immune from malware and some of the new attacks we are seeing are the result of vulnerabilities based on Unix programs that are older than Macs themselves,” says Edwards.
The frequent updating of OS X and new features added in a release cycle that is typically twice as frequent as Microsoft Windows means that InfoSec security professionals working on Apple systems need to refresh skills more often. “The other issue is that a lot of the information for forensically examining Apple systems is simply not documented in public or developer forums and there are fewer tools to choose from,” she adds.
Edwards will be teaching an updated SANS FOR518: Mac Forensic Analysis course at the upcoming annual Digital Forensics and Incident Response (DFIR) Summit and Training event in Prague this October.
“The course is aimed at investigators with a working knowledge of forensics and is particularly pertinent for individuals coming over from a Windows background as many of the core skills are transferable while this course provides the tools and techniques necessary to take on any Mac case without hesitation.”
The 6 day course teaches Mac fundamentals including how to analyse and parse the Hierarchical File System (HFS+) by hand and recognise the specific domains of the logical file system and Mac-specific file types. The course is offered in the context around Mac-specific technologies, including Time Machine, Spotlight, iCloud, Versions, FileVault, AirDrop, and FaceTime and includes advanced analysis and correlation to determine how a system has been used or compromised.
The course runs from the 5th to the 10th of October at SANS DFIR Prague and the week concludes with a Summit packed with trending talks and leading speakers covering the most innovative DFIR topics. For more information on the event, please visit https://www.sans.org/event/dfir-prague-2015/
About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 50 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates employee qualifications via 27 hands-on, technical certifications in information security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master’s degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet’s early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (www.SANS.org)