«
»
 

Level: Tehnical

Abstract:

The goal of this workshop is to equip participants with the essential knowledge and practical skills needed to perform forensic analysis of macOS systems in the context of modern threats.
Although macOS devices still represent a smaller share of enterprise environments compared to Windows, they are increasingly targeted by threat actors. As a result, macOS security and forensic analysis remain less mature and underrepresented in many organizations’ defensive strategies. Recent industry reports — including findings from Red Canary showing a 400% increase in macOS-related threats between 2023 and 2024 — highlight the urgent need for improved visibility and expertise in this area.

This workshop will guide participants through the fundamental steps of conducting macOS forensic investigations, including:

  • Creating logical and triage images of macOS devices
  • Identifying and interpreting key system artifacts
  • Investigating artifacts for evidence of threat actor activity
  • Utilizing common forensic tools to support analysis
  • Understanding the evolving macOS threat landscape

By the end of this workshop, participants will be able to independently conduct forensic investigations on macOS systems and will receive additional resources to support continued learning and future casework.

Requirements:

Since the core of this workshop involves hands-on forensic analysis of a compromised macOS system, each participant is required to bring a laptop. As the provided forensic images are designed for macOS, participants are expected to use a MacBook for the exercises.

For those who do not have access to a MacBook, a cloud-based virtual machine will be made available, accessible from any operating system.

Participants should have a basic understanding of cybersecurity concepts, though prior experience with macOS internals or forensic analysis is **not** required. The workshop is designed to build these skills through guided, practical exercises.

Bio:

Evgen Blohm is an experienced DFIR expert who has been involved in responding to a large number of cyber incidents. He is based in Hamburg, Germany and is currently working for InfoGuard AG, where he is also supporting customers with compromise assessments and dark web monitoring.

Posted on Friday, February 27th, 2026 at 10:13 am in workshops | rss feed for comments| Responses are currently closed, but you can trackback from your own site.

Comments are closed.