macOS Lockdown Mode introduces aggressive security controls designed to reduce attack surfaces, but these protections also disrupt established forensic workflows. As Apple expands privacy-first defenses, investigators face reduced visibility into artifacts, restricted data access and altered system behaviors that complicate evidence preservation. Understanding how Lockdown Mode functions, where forensic signals persist, and why traditional approaches fail is critical for maintaining investigative integrity on modern macOS devices.

This session examines the balance between platform security and forensic accountability, outlining practical considerations for analysts operating in constrained environments and highlighting the need for adaptive methodologies as operating systems evolve.

In this session, led by Bhargav Rathod, security analyst at Salesforce, you will learn:

• Why macOS Lockdown Mode changes the forensic threat model for Apple endpoints;
• How Lockdown Mode technically alters system services, logs and artifacts;
• Training investigators to recognize Lockdown Mode indicators during triage.