Apple File System Forensics

Title: Apple File Systems Forensics
Duration: 2 months e-elearning + 1 week on-site training

Course Aim

The aim of this course is to provide forensic examiners with an understanding of the technology that underpins the Apple file systems HFS+ and APFS and the practical application of that knowledge from an investigator’s perspective. This will also enable them to better assemble evidence for the court that is clear and supportive of evidential needs. Training will encompass latest best practice, technologies and techniques available to Law Enforcement Specialists.


This course is an advanced level module and relates to Forensic Computing. Students are expected to have successfully participated in basic training for High Tech Crime Investigators and have a solid understanding of other file systems and the Linux terminal prior to attending this course. Ideally, students should have successfully completed the ECTEG Introductory IT Forensics.

Students will need to be able to understand and communicate in English.

Small list of agenda / topics / main points

Content includes:

  • GPT partitioning system properties
  • HFS+ file system properties and associated artefacts
  • APFS file system properties and associated artefacts
  • Advanced file recovery using Journals / Snapshots
  • Handling Encryption

If you are interested in applying for these courses please read the following page