The invention of the GrayKey device was a game-changer for forensic examiners trying to access crucial evidence locked behind Apple’s privacy gates. The ability to go beyond backup files to get at file system, process memory, and keychain data that had for years remained restricted means that a locked iOS device is no longer the limit it once was.

 

In this lab, learn about:

 

• The many changes to iOS between the versions and sub-versions of iOS 10, 11, and 12.
• Passcode issues, the limits of biometrics, pairing certificates, and USB Restricted Mode.
• The need to bypass and brute-force the handset lock code.
• How to use a GrayKey device to extract data not available from any other forensic tool.
• Using Magnet AXIOM to ingest and process the resulting file system, process memory, keychain, and backup images, including:
  • What they can yield.
  • How to extract the most information available.
  • Putting it together with other data such as what’s available from iCloud.
  • Utilizing built-in AXIOM tools such as the Dynamic App Finder, SQLite viewers, and Plist viewers to extend your investigations to recover additional artifacts.