​Bunting Digital Forensics, LLC

Digital Forensic Examinations

​Copyright
© 2016 | Bunting Digital Forensics, LLC

Instructional Services - Bunting Digital Forensics, LLC

Steve Bunting has been an instructor for Guidance Software, makers of the EnCase, the world's goto tool for computer forensics.  While teaching directly for Guidance Software, he taught courses, as either lead or instructor, at all levels including the expert series courses.  More recently, working with Guidance Software ATP's (Authorized Training Partners), he has taught EnCase 7 to several agencies around the globe.


Steve is the only contract trainer in the U.S. for MSAB, makers of the XRY Ecosystem of Mobile Forensic Software.  MSAB is based in Stockholm, Sweden and has offices in most of the major regions of the world.  He has trained hundreds of examiners in the U.S. and around the world.


Steve has a long history of teaching digital forensics courses of varied topics internationally under the auspices of the U.S. Department of State's Anti-Terrorism Assistance (ATA) Program and also the Organization of American States.  As such he has trained hundreds of law enforcement officers from nearly twenty countries outside the U.S.  


Bunting Digital Forensics, LLC offers its own Macintosh Digital Forensics course:   This is a one-week certification course (extensible to two weeks in some environments) leading to certification as an Alternative OS Certified Forensic Analyst upon completion of the course and successfully passing a written examination that encompasses hands-on skills.  The course covers the following modules:

  • ​Welcome & Introduction
  • OS X and HFS Plus File System
  • PLIST Files and Timestamps
  • Macintosh Applications
  • Third Party Applications
  • Browsers on the Macintosh
  • Logging on the Macintosh
  • ​Incident Response Procedures and Techniques for Macintosh Systems
  • Imaging Storage Media on Macintosh Systems
  • Special Imaging Problems - Core Storage, File Vault, & Fusion Drives
  • Digging Deeper - Research Techniques to Help Establish User Culpability
  • Using Common Forensic Tools to Examine Macs
  • Using a Mac to Search and Report Evidence
  • ​Final written test, which includes practical skills


Unlike many other training programs out there, we take a different approach.  Some companies like to keep you coming back to them for the next course or refresher training.  While that's good from the bottomline perspective, our approach emphasizes teaching the examiner to be a researcher along the way.  We do so from the very outset.  We use a tool to monitor and examine artifacts as they are created, under the hood.  We allow the examiner to see the cause and effect relationships that we call artifacts, as they are created.  By the time we reach the module "Digger Deeper", the foundation is already in place and the examiner has the skills needed to research, locate, and understand most any OS X artifact.  They can do this for themselves and testify first-hand, rather than depend on third-parties for this information.  We create true analysts, not push-button versions by the same name.  We take the old adage "Give a person a fish and you feed them one meal; teach that same person how to fish and they can feed themselves for a lifetime".  That's our approach to our Macintosh Forensics Training Course and all the other training we do.  


​Custom courses: Bunting Digital Forensics, LLC is known for developing custom courses to meet the special requirements of a variety of clients.  We have experience developing the following custom courses:

  • Macintosh Forensics & Advanced Forensics Consultation - a two-week course designed to familiarize the novice with the Mac and works quickly towards intermediate skills in Macintosh forensics
  • ​An Incident Response Course that was developed and delivered entirely by means of the virtual reality instructional software AvayaLive.  This was the first time this type of course was delivered by this means.  It was developed for the U.S. Department of State and delivered in June 2014.
  • Windows Server Incident Response is a one-week course developed and delivered to a mixed group of IT personnel combined with police officers with cyber skills.  This course first delves into Windows server products and then uses EnCase to examine a series of compromised server images.
  • Windows / Linux / Macintosh Server Incident Response Course is a two-week course in which the students are exposed to server products on the three aforementioned operating systems.  They study the more common attack vectors and the artifacts that remain behind.  They use EnCase or the tool of their choosing to examine these artifacts.  During the second week they break into four teams and rotate through an incident response of a compromised rack of four servers consisting of a Windows Domain Server, a Windows File Server, an OS X server, and a Linux server configured as a syslog server receiving the logs from a Cisco ASA.  When done, they examine the data and report their findings.


As you can see, the possibilities for custom courses are endless.  If you have a training need, and who doesn't, contact Steve and we can discuss a solution.  



Steve Bunting Macintosh Digital Forensics Course Alternative OS Certified Forensic Analyst