Welcome to the Surviving Digital Forensics series. This class is focused on helping you get a better understanding of OS X Time Stamps and to become a better Mac examiner.
As with previous SDF classes you will learn by doing. The class begins with a brief overview of OS X time - as Apple sees it - then we will get into a number of validation exercises to see how user activity really affects Apple time stamps. Learning is hands on and we will use applications already installed on your Mac to do so.
Expert and novice Mac examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply to all versions of OS X. Therefore you are not just going to learn about OS X timestamps but learn a method you can use to answer many date and time questions that may come up in the future.
1. Introduction and Welcome to the SDF series
2. What this class is all about
3. How to get the most of this class
4. The finer points of OS X dates and times
5. Time from a User's point-of-view
6. Apple metadata timestamps & the MDLS command
7. Latency issues
8. Validation Exercise: New file
9. Validation Exercise: Modified file
10. Validation Exercise: Moving file within same volume
11. Validation Exercise: Moving file to a different volume
12. Validation Exercise: Accessing a file
13. Validation Exercise: Downloading a file
14. Validation Exercise: Deleting a file
15. Summary of findings
16. Thoughts on time attribute artifacts
17. Conclusion & final thoughts