Wide uses the full column for everything, text, diagrams, code, and exercises. Narrow keeps the standard reading width.
Text size
Scales the body text. Headings and code blocks keep their size.
In this section
▾
macOS Endpoint Investigation: Course Orientation
Module 0
MACOS ENDPOINT INVESTIGATION · MODULE 00
A Mac records more than its user knows. This course teaches you to read it.
A macOS system keeps a detailed record of what ran, where it came from, who used the machine, and what they did, scattered across Unified Logging, the file system, property lists, SQLite stores, and Apple's Biome. This course teaches you to take a compromised Mac and reconstruct that record: what executed and whether the system trusted it, who was present, what persisted, what left the machine, and what someone tried to hide. You work the evidence with a free toolstack, reason honestly about what Apple Silicon and FileVault put out of reach, and finish with a full intrusion investigation. This module shows you what you'll be able to prove, the evidence you'll work, and how the course gets you there.
12 modules
across 4 phases
Full capstone
one intrusion, end to end
Sequoia + Tahoe
current to macOS 26
No prerequisites
every artifact explained
Why this course exists
An alert tells you a rule fired on a Mac. It does not tell you what happened. When a macOS host is compromised, the questions that matter, what executed and whether Gatekeeper trusted it, who was logged in, what persisted across reboot, what the privacy controls recorded, what data left, and what someone deleted to cover it, are answered nowhere in the alert. They are answered in the evidence the system recorded while it happened: Unified Logging, FSEvents, the launchd plists, the quarantine database, KnowledgeC and Biome, and the per-app SQLite stores.
Most people come to macOS forensics from Windows or Linux and try to run the same playbook. It does not transfer cleanly. There is no Prefetch and no Amcache. Memory acquisition is effectively closed on Apple Silicon. FileVault and the Secure Enclave decide whether you get a disk at all. And Apple keeps removing artifacts in the name of privacy, so an artifact that existed last year may be gone this year, or newly created in macOS 26. This course is built for that reality. It is organized around the questions an investigator actually has to answer on a Mac, it teaches each one from the evidence up, and it is honest about the gaps, because reasoning about what you cannot recover is part of the job.
What you will be able to do
This course is built around what you can prove at the end, not the artifacts you can name. Every module puts a real macOS question in front of you and makes you answer it from the evidence, then defend the answer.
Acquire and triage a modern Mac
Make the right acquisition call on Apple Silicon and FileVault systems, where full physical imaging is often off the table, and triage fast to find where to dig.
Read the macOS evidence
Work Unified Logging, FSEvents, property lists, the quarantine database, KnowledgeC and Biome, and per-app SQLite stores the way an examiner does.
Prove execution and persistence
Establish what ran and whether the system trusted it without Prefetch or Amcache, and find every persistence mechanism from LaunchAgents to Background Task Management.
Reconstruct user activity
Rebuild pattern-of-life from KnowledgeC and Biome, recover browser, message, and clipboard activity, and read the macOS 26 artifacts that record deliberate intent.
Detect anti-forensics and reason about gaps
Spot log tampering, timestamp manipulation, and cleared artifacts, and reason honestly about what Apple Silicon, SIP, and on-device processing put out of reach.
Build a defensible timeline
Correlate every artifact source into one chronological account with calibrated confidence, and document findings that hold up to scrutiny.
You also leave with skills that outlast any single macOS release: a repeatable investigation method, a command and artifact reference for real engagements, and the judgment to tell a real signal from a benign one on a platform that changes every year.
The evidence you will work
A Mac is not one source of truth, it is dozens. Unified Logging records authentication and system events. FSEvents is the file system changelog. launchd plists and the Background Task Management database hold persistence. KnowledgeC and Biome record pattern-of-life down to app focus and, on macOS 26, individual menu selections. The quarantine database and extended attributes prove where a file came from. Each records a different slice, and the real picture only appears when you pull them together into one timeline that survives questioning.
You work the same free tooling a professional examiner uses, mac_apt, APOLLO, iLEAPP, FSEventsParser, ccl-segb, and the native log, plutil, and mdls commands, against realistic macOS evidence with attacks staged inside it. The artifact structures, paths, and tool output you read are real and current. What carries beyond this course is the discipline: ask the question, find the evidence that answers it, place it on the timeline, defend it. The artifacts are macOS-specific. The investigative habit runs every engagement on any platform.
Two limits are worth stating up front, because honesty about them is part of the skill. Memory forensics is effectively closed on Apple Silicon under SIP, so this course does not pretend otherwise and teaches live response through the artifacts it leaves behind. And Apple's move toward on-device intelligence means some content, original-language messages translated on device, for example, is simply never written to disk. You will learn to recognize those gaps and reason around them rather than assume an absence means nothing happened.
How the course is built
Twelve modules move through four phases. You set the foundations and learn the macOS security model and architecture, learn to acquire evidence and read Unified Logging, work the investigation questions one by one, then assemble everything and prove the whole skill set in a full intrusion capstone.
What you need and who this is for
There are no prerequisites, and every artifact is explained the first time you meet it. This course is for anyone who needs to investigate Macs: DFIR analysts who can work Windows or Linux but hit a wall when a Mac lands on their desk, incident responders building Apple coverage, SOC analysts moving into forensics, and IT and security staff managing Mac fleets who need to know what a compromised machine can tell them.
Transferable investigative method
Ask the question, find the evidence, place it on the timeline, defend it. The artifacts are macOS; the method runs any forensic engagement on any platform.
Free tools, current to macOS 26
The analysis toolstack is open-source and the content is verified against Sequoia 15 and Tahoe 26, so what you learn matches the Macs you will actually examine.
How to get the most
Answer each investigation question against the evidence yourself before reading the explanation, and keep the procedures that work. That habit is how your reference gets built.
Do I already know this material?
Six quick scenarios across the full range of this course, from acquisition on Apple Silicon to building a defensible macOS investigation. Answer them to find out where you sit, and whether this course fits or it will sharpen knowledge you already have.
You are called to a running, FileVault-encrypted MacBook on Apple Silicon that is part of an active incident. What is the realistic acquisition approach?
Power it off and pull a full physical disk image with a write blocker, the same as a Windows tower.
Acquire from the live, unlocked system: a logical or triage collection of the decrypted file system and volatile state, because Apple Silicon plus FileVault and the Secure Enclave make a traditional physical image off the box impractical, and powering off loses your decrypted access.
On Apple Silicon the storage is tied to the Secure Enclave and FileVault, so a cold physical image is usually neither possible nor useful. The decrypted file system is reachable while the machine is unlocked and running, so you collect logically before you lose that state. M3 covers this decision in full.
Remove the SSD and image it in another machine.
There is no way to acquire a FileVault Mac, so document and move on.
You need to prove a binary executed on a Mac and establish where it came from. macOS has no Prefetch and no Amcache. Where do you turn?
Combine sources: the quarantine database and the where-from extended attribute for download provenance, Unified Logging and the install history for execution, and KnowledgeC or Biome for application usage, since no single macOS artifact is the execution oracle Prefetch is on Windows.
macOS spreads execution and provenance evidence across several sources rather than one. Quarantine and the where-from xattr show origin, the log and receipts show execution, and KnowledgeC and Biome show usage. M7 and M8 build the defensible claim from these together.
The Windows Prefetch folder on the Mac.
The Trash, which keeps every binary that ran.
You cannot prove execution on macOS at all.
You suspect a persistence mechanism on a Mac running macOS 26. Where do you look to find every background item, including ones a simple LaunchAgent scan would miss?
Only the Startup Items folder from classic Mac OS.
The Windows Run registry keys.
The LaunchAgents and LaunchDaemons plists across the user, local, and system domains, and the Background Task Management database, which since macOS 13 records every login item and background agent in one place and is read with sfltool, alongside configuration profiles and login items.
Plist scanning alone misses items registered through newer APIs. The Background Task Management database consolidates the modern persistence surface, which is why it is the highest-value single source. M6 teaches the full taxonomy and how to triage it.
There is no central record of persistence on macOS.
You need to reconstruct what a user was actually doing on a Mac over a two-hour window: which apps, in what order, with what focus. What is the strongest source?
The desktop screenshot folder.
The KnowledgeC database and Apple's Biome streams, parsed with a tool such as APOLLO, which reconstruct app usage, focus intervals, and device activity into a pattern-of-life timeline, augmented on macOS 26 by newer streams that record finer-grained intent.
KnowledgeC and Biome are the macOS pattern-of-life spine, recording app focus and activity at fine grain. APOLLO turns them into a timeline. M8 covers these and the macOS 26 additions that record deliberate user actions.
The Dock preferences file.
User activity cannot be reconstructed without EDR.
On a macOS 26 system, a suspect sent messages that were composed in one language and delivered to the recipient in another. You cannot find the original-language text anywhere on disk. How do you treat this?
Conclude the messages were never sent.
Assume the parser is broken and keep searching the same database.
Report the translated text as the verbatim original.
Recognize that on-device Live Translation processes and frequently does not retain the original input, treat the absence as a known platform visibility limit rather than proof of nothing, and corroborate intent and content from other sources such as drafts, notifications, and the other party's device.
Apple's on-device features deliberately avoid persisting some data. A missing original is a known limitation of the platform, not evidence that nothing happened. The skill is naming the gap honestly and corroborating around it. M8 and M12 cover this reasoning.
You have strong individual findings from Unified Logging, FSEvents, quarantine, and KnowledgeC. What turns them into a defensible macOS investigation result?
Listing every artifact you parsed.
Reporting only the single most dramatic finding.
Correlating the findings into one chronological account where each conclusion is supported by more than one independent source, with the confidence of each stated and the platform's limits acknowledged, so the narrative holds up rather than being a pile of facts.
A defensible result is a corroborated story: events in order, each claim backed by multiple sources, confidence calibrated, and gaps stated. M12 builds the timeline and the findings discipline that turns parsed artifacts into an investigation.
Whichever conclusion the client expects.
This course is for you.
You will build macOS investigation from acquisition and the security model through Unified Logging, the file system, persistence, execution and provenance, user activity, and malware analysis, into a full intrusion capstone, current to Sequoia 15 and macOS 26 Tahoe.
You have the fundamentals. The value here is the harder half.
You know how to acquire and read the core artifacts, so the payoff is the back half: Biome pattern-of-life, the macOS 26 artifacts, anti-forensics and gap reasoning, Mach-O analysis, and the timeline that ties an investigation together.
You handled Apple Silicon acquisition, cross-source execution, the modern persistence surface, on-device visibility limits, and building a defensible picture, the senior end of the discipline. Take the course to stay current with macOS 26, close the gaps you did not expect, and turn strong instincts into investigations that hold up.
You are a student of this course now, so start by deciding what you want from it. Are you here to build a macOS forensic capability from the ground up, to add Apple coverage to incident response you already do well, or to be ready for real casework on Macs? Name that outcome, then turn it into a study plan: which investigation questions matter most to your work, how much time you will give it each week, and what you want to be able to prove by the time you finish.
The rest of Module 0 sets you up to do exactly that. Work through it to see what macOS investigation actually is, how the course is structured across two macOS versions, the toolstack, the evidence-handling practices that keep your work defensible, and how to set up your analysis environment. Then begin Module 1.
Stuck on this lesson?
Your question goes straight to the team and we'll reply by email. Sign in to ask.
