This course is an intermediate-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to expand their knowledge base into deep iOS examinations and the use of the GrayKey device.
Students must be part of a law enforcement agency that has been cleared by Grayshift in order to attend this course.
Students will get hands-on use of the GrayKey device and learn how to fully operate it — including how to establish a proper workflow for handing iOS devices in the field to the lab and how to acquire a full file system image of iOS devices.
Magnet AXIOM will also be leveraged to learn how the iOS filesystem is structured, how to locate key data, and how artifacts are structured. In addition, students will learn about artifacts specific to the iOS full file system and its multiple levels of data protection. Third-party artifact analysis of several advanced, secure artifacts will be covered, including how the device keychain ties into these artifacts. A methodology will be discussed on how to conduct deep-level iOS examinations and how to understand specific operating system artifacts in context to show device interactions over time. Students will learn how to put someone behind a device physically interacting with it, and even sometimes where that device has been.