2026-04-14 –, Room 4
Apple Silicon Macs introduce a radically different platform for digital investigations. Strong security controls, a closed boot chain, and limited support for external operating systems make traditional forensic workflows impractical. This workshop is designed for practitioners who need working techniques, not just theory, to analyze modern macOS systems in the field.
We start by reviewing core live forensics principles, including software write-blocking, and compare traditional dead-box acquisition with live approaches. Realistic investigation scenarios are discussed, from local device access to remote and cloud-based systems, highlighting when live analysis is the only viable option.
The workshop then focuses on booting strategies. After a brief comparison with PCs and servers, we dive into Apple Silicon-specific boot mechanics: standard boot, recovery mode, and failsafe recovery mode. Participants will learn how Apple’s boot design restricts custom OS loading and how these restrictions impact forensic workflows.
A key part of the workshop explores what methods exist to access to Apple Silicon hardware. We explain the chainloading model, installation steps, and practical challenges such as hardware device trees and external boot constraints.
Finally, we demonstrate how to boot and use live USB-based forensic operating system on Apple Silicon Macs. According to our knowledge, external USB boot is still a problem for Apple Silicon Macs, which has not been solved in any existing Linux distributions. However, we found a workaround which helps to solve this problem. We hope we will have a chance to present it publicly for the first time during Botconf 2026. The workshop concludes with a practical overview of building a custom live forensic OS, enabling investigators to tailor their tooling for modern macOS targets both locally and remotely.
Requirements:
1. Apple Silicon Macbook (M1 or M2)
2. USB-C flash drive (at least 64GB)
3. USB-C cable and a secondary laptop
Vitaly Kamluk is a cybersecurity researcher based in Singapore with over 20 years of
experience. Previously, as a Principal Security Researcher, he used to lead a cyber threat
intelligence unit focusing on targeted attack investigations. In 2014-2016, Vitaly worked at
INTERPOL Digital Forensics Lab as a cybersecurity expert. Vitaly participates in infosec
mentorship initiatives, volunteers to deliver free talks for the next generation of researchers, he
is one of Black Hat speaker coaches. Over the years, he conducted research on various
subjects and presented at many conferences including events such as Black Hat, DEF CON,
Hitcon, BSides, Ruxcon, Sincon, FIRST, Botconf.
Vitaly runs TitanHex, a cybersecurity startup in Singapore. He also is an advisor to TLPBLACK
and a researcher with SentinelLABS. He is passionate about a broad set of cybersecurity topics
including reverse engineering, malware analysis, cyberthreat intelligence, computer forensics,
cryptography, privacy, hardware hacking.
Nicolas Collery has been in the security field for over 20 years, focusing on fighting cybercrime.
Passionate about forensics, malware analysis, and now simulating attacks focusing on
real-adversaries’ tactics, techniques and procedure to assess the capability to prevent, detect
and respond.
He has presented at multiple conferences and security events in Singapore featuring various
applications of remote forensic toolkits, including bypass of proprietary full disk encryption, cloud
forensics and more.Nicolas now leads the active defence services at DBS Bank headquartered Singapore which
comprises the threat intelligence, penetration testing, vulnerability assessment and red & purple
teaming practices. He is a primary incident responder for DBS Computer Emergency Response
Team (DBSCERT).
Nicolas also leads application security in DBS to maintain the high standards expected by its
customers. The focus of his team is to empower the bank to release applications at a fast pace
and using modern technologies, while ensuring security.