FSEvents

I'm Back Baby!

Hello folks, I’m back! I took a bit of a break because burn out is no joke – seriously…take care of yourselves! I’ve been on what I’m calling a mid-career retirement – travelling the world to make up for lost pandemic travels.

I’ve been working on a few projects, most recently (and the purpose for this update) I have updated one of my favorite scripts, FSEventsParser from Nicole Ibrahim. I’ve updated it to python 3 and updated for the latest version that came out in macOS 14, version 3 (SLD3 header).

FSEvents are one of my favorite forensic artifacts, if you aren’t parsing them out you are absolutely missing fantastic file system related information. Files Created! Files Deleted! And so much more! You can get my version of the script here*: https://github.com/mac4n6/FSEventsParser

*Cavet: The new format has a new field; I have not yet dived into what it is used for.

This script came about because I’ve given my class a massive update. If you haven’t taken SANS FOR518 ever (or for a while), now is a great time to do so! There is a whole new dataset with the latest and greatest OS’s which also means an all new workbook with 23(!) new labs!

I’ve added a ton of new material and am super excited to introduce Corellium into the course in a new forensic testing module. If you’ve been around this blog for a bit, you know I’m a big proponent of testing EVERYTHING!

We also have a new CTF-style challenge thanks to Kat Hedley and I’ve been doing a demo of the Apple Vision Pros with live forensics!

 

Lee and I have classes coming up!

  • San Diego (In-Person and Online - This week, starts Thursday May 9!)

  • US DFIR Summit in August (Online Only)

  • APAC DFIR Summit “in” Tokyo in September with Japanese Translation (Online Only)

  • Europe DFIR Summit in October in Prague, CZ (In-Person and Online)

  • DFIRCon in November (Online Only)

  • In December Online “in” Tokyo with Japanese Translation (Online Only)

  • The new On Demand version of the course has also just dropped! Take it whenever you like!

 

Don’t forget this class has a GIAC cert now, the GIAC iOS and macOS Examiner (GIME).

I hope this is the first of a new generation of blogs that I release. I’ve got a few good ideas that I’d love to research and write about but I will also be taking it relatively easy so as to not burn out again.