Events
Training Overview
We'll start by reviewing different iOS Malware behavior and investigate which traces the malware left behind in forensic sources. Then we will introduce the different forensic sources and how to acquire them.
All practical exercises are built around real world cases that have been found like NSO Group's Pegasus, Intellexa's Predator, Coruna and DarkSword.
At the end of the course participants will have an understanding how iOS Security Model work, forensics sources that are available and which traces and behavior malware leaves behind.
This course is focused on malicious behavior and the traces threat actors leave behind. While we sometimes take a look at Malware samples and their code - this is not a reversing class!"
Training Details
This hands-on iOS Forensics Training course is designed to provide participants with advanced skills in the analysis and investigation of iOS devices exhibiting unusual behaviors. Participants will engage in practical exercises using real word malware and exploit cases and the indicator they left behind. The primary objective is to conduct a comprehensive forensic examination to determine the underlying issues affecting these devices.
Throughout the training, participants will learn to identify Indicators of Compromise (IOCs) and use state-of-the-art forensic tools and techniques to analyze the devices‘ data. They will scrutinize system files, applications, and user data to ascertain whether the anomalies are the result of malicious infections, such as malware or spyware, or if they stem from non-malicious activities like jailbreaking.
The training is structured over three days:
Day 1: Past Attacks / Malware, Backups, Pegasus Case Study
Focuses on understanding the security model of iOS, past malware case and we will introduce iTunes Backups and work on a Pegasus Case Study.malicious apps, identifying jailbreaks, and gathering forensic data.
Day 2: Sysdiagnose & Crashlogs, Coruna & Predator Case Study
Dedicated to detecting both known and unknown attacks using forensic artifacts, such as Sysdiagnose & Crashlogs. This day contains a case study to Predator and Coruna.
Day 3: Unified Logs, Going Dark, DarkSword Case Study
Completes the sections on unknown attacks and includes a case study DarkSword an Exploit Framework targeting iOS 18.4. - 18.7. Additionally we will dive deep into UnifiedLogs.
The course will cover key topics including data acquisition, artifact analysis, timeline reconstruction, IOC generation and anomaly detection. By the end of the training, participants will have developed a nuanced understanding of iOS forensic processes and be equipped with the necessary skills to diagnose and address a range of security issues in iOS environments. This training is ideal for digital forensic investigators, security professionals, and anyone interested in mastering the art of iOS forensic analysis.
Requirements & Prerequisites
Technical Requirements
Participants need to bring a mac with at least macOS BigSur. Participants can bring an iOS device with them but it’s not a prerequisite. A few will be made available by the trainer. The trainer will additionally bring some jailbroken devices. A jailbroken iPhone is not a prerequisite.
Suggested Prerequisites
Students should be familiar with the iOS Operating System in general. Students should be familiar with the concept of Malware. Students should be familiar with the macOS terminal. Students need to be able to install programs on their Mac. Experience in Python and SQL is helpful but not required.
Additional Event Details
Venue
This in-person training will take place at OBTS v9.0 on November 15-17, 2026. The training will take place at the Hyatt Regency Maui. There are discounted room rates available on the OBTS Website.
Training Instructor
Matthias Frielingsdorf is Co-Founder and Vice President of Research & Development at iVerify. With over a decade of experience, Matthias has focused on understanding iOS exploitation and malware development. His achievements include his work on iOS threat research, capturing and analyzing multiple iOS malware samples. Matthias has conducted extensive research on iOS exploits and malware detections, regularly presenting his findings at conferences such as OBTS, BlackHat, RSA and LabsCon. He is also a sought-after trainer in detecting commercial spyware on iOS, conducting training sessions throughout the year at both private and public seminars. Beyond his professional pursuits, Matthias enjoys playing basketball and gaming, as well as learning more about iOS.
Motivation
When I started my research into iOS Malware there was one prominent statement “iPhones can’t be hacked”. Even back then in 2018 this was not true. Even though we had much less public cases and the OS was much easier to attack. Now in 2026 Apple notified people in 150 countries about targeted attacks. But still only rare cases of such Attacks are uncovered and even less often we see actual samples of Malware or Exploits. Then 2026 happened and not only one but two recent mass scale attacks on iOS were detected covering iOS 13 up to 18.7.With this training I want to share my knowledge and methodology about detecting such advanced attacks. I want to help people to get into this space and hopefully together we can detect more and more attacks!
iOS Threat Hunting: Detecting Advanced Malware Training
Since 2016 Pegasus is well known in the industry as the prime example for mercenary spyware targeting iOS devices. But did you know about Paragon’s Graphite, Quadream‘s Reign, Cytrox’s Predator, Coruna or DarkSword?
This three-day, in-person, hands-on iOS Forensics Training course teaches you how to investigate, detect, and analyze advanced threats targeting Apple's iOS platform. The course is centered around real world malware samples and the traces that are left behind.
Booking
There are limited seats available at a price of 3000 € + taxes. Please submit the form below, and we will contact you with a payment link.
November 15-17, 2026
OBTS v9.0: Hyatt Regency Maui
Register
Training Overview
We'll start by reviewing different iOS Malware behavior and investigate which traces the malware left behind in forensic sources. Then we will introduce the different forensic sources and how to acquire them.
All practical exercises are built around real world cases that have been found like NSO Group's Pegasus, Intellexa's Predator, Coruna and DarkSword.
At the end of the course participants will have an understanding how iOS Security Model work, forensics sources that are available and which traces and behavior malware leaves behind.
This course is focused on malicious behavior and the traces threat actors leave behind. While we sometimes take a look at Malware samples and their code - this is not a reversing class!"
Training Details
This hands-on iOS Forensics Training course is designed to provide participants with advanced skills in the analysis and investigation of iOS devices exhibiting unusual behaviors. Participants will engage in practical exercises using real word malware and exploit cases and the indicator they left behind. The primary objective is to conduct a comprehensive forensic examination to determine the underlying issues affecting these devices.
Throughout the training, participants will learn to identify Indicators of Compromise (IOCs) and use state-of-the-art forensic tools and techniques to analyze the devices‘ data. They will scrutinize system files, applications, and user data to ascertain whether the anomalies are the result of malicious infections, such as malware or spyware, or if they stem from non-malicious activities like jailbreaking.
The training is structured over three days:
Day 1: Past Attacks / Malware, Backups, Pegasus Case Study
Focuses on understanding the security model of iOS, past malware case and we will introduce iTunes Backups and work on a Pegasus Case Study.malicious apps, identifying jailbreaks, and gathering forensic data.
Day 2: Sysdiagnose & Crashlogs, Coruna & Predator Case Study
Dedicated to detecting both known and unknown attacks using forensic artifacts, such as Sysdiagnose & Crashlogs. This day contains a case study to Predator and Coruna.
Day 3: Unified Logs, Going Dark, DarkSword Case Study
Completes the sections on unknown attacks and includes a case study DarkSword an Exploit Framework targeting iOS 18.4. - 18.7. Additionally we will dive deep into UnifiedLogs.
The course will cover key topics including data acquisition, artifact analysis, timeline reconstruction, IOC generation and anomaly detection. By the end of the training, participants will have developed a nuanced understanding of iOS forensic processes and be equipped with the necessary skills to diagnose and address a range of security issues in iOS environments. This training is ideal for digital forensic investigators, security professionals, and anyone interested in mastering the art of iOS forensic analysis.
Requirements & Prerequisites
Technical Requirements
Participants need to bring a mac with at least macOS BigSur. Participants can bring an iOS device with them but it’s not a prerequisite. A few will be made available by the trainer. The trainer will additionally bring some jailbroken devices. A jailbroken iPhone is not a prerequisite.
Suggested Prerequisites
Students should be familiar with the iOS Operating System in general. Students should be familiar with the concept of Malware. Students should be familiar with the macOS terminal. Students need to be able to install programs on their Mac. Experience in Python and SQL is helpful but not required.
Additional Event Details
Venue
This in-person training will take place at OBTS v9.0 on November 15-17, 2026. The training will take place at the Hyatt Regency Maui. There are discounted room rates available on the OBTS Website.
Training Instructor
Matthias Frielingsdorf is Co-Founder and Vice President of Research & Development at iVerify. With over a decade of experience, Matthias has focused on understanding iOS exploitation and malware development. His achievements include his work on iOS threat research, capturing and analyzing multiple iOS malware samples. Matthias has conducted extensive research on iOS exploits and malware detections, regularly presenting his findings at conferences such as OBTS, BlackHat, RSA and LabsCon. He is also a sought-after trainer in detecting commercial spyware on iOS, conducting training sessions throughout the year at both private and public seminars. Beyond his professional pursuits, Matthias enjoys playing basketball and gaming, as well as learning more about iOS.
Motivation
When I started my research into iOS Malware there was one prominent statement “iPhones can’t be hacked”. Even back then in 2018 this was not true. Even though we had much less public cases and the OS was much easier to attack. Now in 2026 Apple notified people in 150 countries about targeted attacks. But still only rare cases of such Attacks are uncovered and even less often we see actual samples of Malware or Exploits. Then 2026 happened and not only one but two recent mass scale attacks on iOS were detected covering iOS 13 up to 18.7.With this training I want to share my knowledge and methodology about detecting such advanced attacks. I want to help people to get into this space and hopefully together we can detect more and more attacks!
iOS Threat Hunting: Detecting Advanced Malware Training
Since 2016 Pegasus is well known in the industry as the prime example for mercenary spyware targeting iOS devices. But did you know about Paragon’s Graphite, Quadream‘s Reign, Cytrox’s Predator, Coruna or DarkSword?
This three-day, in-person, hands-on iOS Forensics Training course teaches you how to investigate, detect, and analyze advanced threats targeting Apple's iOS platform. The course is centered around real world malware samples and the traces that are left behind.
Booking
There are limited seats available at a price of 3000 € + taxes. Please submit the form below, and we will contact you with a payment link.
November 15-17, 2026