Apple Silicon Macs introduce a radically different platform for digital investigations. Strong security controls, a closed boot chain, and limited support for external operating systems make traditional forensic workflows impractical. This workshop is designed for practitioners who need working techniques, not just theory, to analyze modern macOS systems in the field.

We start by reviewing core live forensics principles, including software write-blocking, and compare traditional dead-box acquisition with live approaches. Realistic investigation scenarios are discussed, from local device access to remote and cloud-based systems, highlighting when live analysis is the only viable option.

The workshop then focuses on booting strategies. After a brief comparison with PCs and servers, we dive into Apple Silicon-specific boot mechanics: standard boot, recovery mode, and failsafe recovery mode. Participants will learn how Apple’s boot design restricts custom OS loading and how these restrictions impact forensic workflows.

A key part of the workshop explores what methods exist to access to Apple Silicon hardware. We explain the chainloading model, installation steps, and practical challenges such as hardware device trees and external boot constraints.

Finally, we demonstrate how to boot and use live USB-based forensic operating system on Apple Silicon Macs. According to our knowledge, external USB boot is still a problem for Apple Silicon Macs, which has not been solved in any existing Linux distributions. However, we found a workaround which helps to solve this problem. We hope we will have a chance to present it publicly for the first time during Botconf 2026. The workshop concludes with a practical overview of building a custom live forensic OS, enabling investigators to tailor their tooling for modern macOS targets both locally and remotely.

Requirements:
1. Apple Silicon Macbook (M1 or M2)
2. USB-C flash drive (at least 64GB)
3. USB-C cable and a secondary laptop