This course is an intermediate-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to expand their knowledge base into deep iOS examinations and the use of the GrayKey device.

Students must be part of a law enforcement agency that has been cleared by Grayshift in order to attend this course.

Students will get hands-on use of the GrayKey device and learn how to fully operate it — including how to establish a proper workflow for handing iOS devices in the field to the lab and how to acquire a full file system image of iOS devices.

Magnet AXIOM will also be leveraged to learn how the iOS filesystem is structured, how to locate key data, and how artifacts are structured. In addition, students will learn about artifacts specific to the iOS full file system and its multiple levels of data protection. Third-party artifact analysis of several advanced, secure artifacts will be covered, including how the device keychain ties into these artifacts. A methodology will be discussed on how to conduct deep-level iOS examinations and how to understand specific operating system artifacts in context to show device interactions over time. Students will learn how to put someone behind a device physically interacting with it, and even sometimes where that device has been.

Hear directly from Christopher Vance, Manager of Curriculum Development at Magnet Forensics, about why you should take our MAGaK (Magnet AXIOM & GrayKey) Advanced iOS Examinations (AX301) course, what you can expect when you take it, and what type of real-life experience he brings to the classroom.

Because AX301 is an intermediate-level course, it is strongly recommended that students first complete Magnet AXIOM Examinations (AX200). AX200 will provide a thorough understanding of AXIOM that will help students focus on the cloud aspect of investigations in AX301.

MODULE 1: COURSE INTRODUCTION

• Cover the basic prerequisites for both the AXIOM software and GrayKey unit.

MODULE 2: UNDERSTANDING IOS AND APPLE’S SECURITY

• Discussion-focused coverage of the iOS operating system’s security functions and structure.
• Learn about device protection class keys, understanding the handset lock codes and their function, as well as other functions of the operating system.

MODULE 3: USING THE GRAYKEY DEVICE

• Covering all the options and settings of the GrayKey unit in order to successfully and efficiently operate the device to extract information from iOS devices.
• Information about the latest versions of iOS will be discussed.
• Learn how to gain access to information previously unavailable by most forensic techniques.
• See how to extract information from devices that are still passcode-locked as well as techniques to deal with the bypassing of the passcodes standing in their way.

MODULE 4: DEVICE IMAGE TYPES

• Compare the different types of extractions that can be generated with the GrayKey units, what examiners can expect to find in each type, and how this information can help further investigations in multiple ways.
• Learn how to explore key artifacts available in these different image types, exclusive to the GrayKey style of data extraction, and how to build methodologies to attempt more efficient passcode cracking.

MODULE 5: IMPORTING DATA IN MAGNET AXIOM

• Understand the multiple ways to ingest information and develop a proper workflow for ingesting information from GrayKey extractions.
• Learn about several AXIOM functions such as Dynamic App Finder, Search for Custom Files by Type, and how to target secure messaging applications.

MODULE 6: EXPLORING ARTIFACTS IN MAGNET AXIOM

• Explore multiple artifacts, including deep diving into artifacts that are core to the iOS file system — core artifacts will be explored in depth including techniques for recovering deleted information from these databases.
• Advanced file system artifacts such as PowerLog and KnowledgeC will be covered to talk about application usage times and data amounts. These and other artifacts will be explored to show examiners how to track when targets are interacting physically with a device in a specified timeframe.
• Exclusive file system artifacts such as location history, third party applications, and more will also be explored.