As macOS gains traction in enterprises, so do attacks. This workshop equips participants with the skills to perform effective macOS forensic analysis, uncovering and understanding modern threats to strengthen enterprise defences.
The goal of this workshop is to equip participants with the essential knowledge and practical skills needed to perform forensic analysis of macOS systems in the context of modern threats. Although macOS devices still represent a smaller share of enterprise environments compared to Windows, they are increasingly targeted by threat actors. As a result, macOS security and forensic analysis remain less mature and underrepresented in many organisations’ defensive strategies. Recent industry reports — including findings from Red Canary showing a 400% increase in macOS-related threats between 2023 and 2024 [1] — highlight the urgent need for improved visibility and expertise in this area.
This workshop will guide participants through the fundamental steps of conducting macOS forensic investigations, including:
- Creating logical and triage images of macOS devices
- Identifying and interpreting key system artefacts
- Investigating artefacts for evidence of threat actor activity
- Utilising common forensic tools to support analysis - Understanding the evolving macOS threat landscape
By the end of this workshop, participants will be able to independently conduct forensic investigations on macOS systems and will receive additional resources to support continued learning and future casework.
[1]
https://redcanary.com/threat-detection-report/trends/mac-malware/Since the core of this workshop involves hands-on forensic analysis of a compromised macOS system, each participant is required to bring a laptop. As the provided forensic data is designed for macOS, a MacBook is prefered for the exercises.
For those who do not have access to a MacBook, suitable alternatives will be made available, accessible from any operating system. Participants should have a basic understanding of cybersecurity concepts, though prior experience with macOS internals or forensic analysis is not required. The workshop is designed to build these skills through guided, practical exercises.
