Learning

GK200 Graykey Examinations

Date

24

November

2026

9:00 am

9:00 am

Venue

Birmingham, UK

Industry

Police

Military

Government

Course Length

4 Days

Difficulty

Advanced-level

Delivery Method

Classroom

Share this course with your network

Overview

GK200 is an intermediate-level four-day training course, designed for participants who are familiar with the principles of digital forensics and are seeking to expand their knowledge base into iOS and Android examinations using Magnet Graykey. Students must be part of a law enforcement agency and must be cleared in advance to attend this course. In this course, you will get hands-on use of the Graykey device and learn how to fully operate it—including how to establish a proper workflow for handling iOS and Android devices both in the field and in the lab and leveraging the Graykey to obtain crucial data from mobile-type devices. Magnet Axiom will also be leveraged to learn how mobile file systems are structured and how to locate key data. In addition, students will learn about artefacts specific to the extraction outputs of Magnet Graykey and the differing levels of data protection implemented on modern mobile devices. From Keychain and Keystores, to advanced methodologies to uncover operating system artifacts, students will learn how to effectively and efficiently deal with data from mobile devices, no matter the extraction level and/or device state.

Course Prerequisites

Students must be part of a law enforcement agency and MUST own a Magnet Graykey. Because GK200 is an intermediate-level course, it is recommended that students first complete Magnet Axiom Examinations (AX200).

Course Completion

Magnet Certified Graykey Examiner (MCGE) - Prerequisite: Must have attended GK200 (This an online process which is free, Pass score = 80% or higher, Certification lasts 2 years.) Additional option for Magnet Qualified Graykey Investigator (MQGI) - Prerequisite: Must have a Magnet Graykey

Course Modules

Module 1: Course Introduction
Review of the course outline, personal introductions, and the week-long case scenario that will be used throughout the training event. Students finish the module with a clear understanding of the structure of the course.

Module 2: Graykey Overview
An introduction to the Graykey device itself — covering hardware, licensing, capture and extraction settings, enhanced capabilities, and device preferences. This module also covers the full range of Graykey’s operational features, including Mobile Excursion, Crypto Triage, logical+, category-based extractions, and Magnet Graykey Fastrak.

Module 3: iOS Fundamentals
Discussion-focused coverage of the iOS operating system’s structure and security. Students will review the APFS file system, core Apple security hardware and firmware, device keys, the Secure Enclave, data protection classes, handset lock codes, and USB Restricted Mode.

Module 4: iOS Acquisitions Using Graykey
Hands-on work covering the full iOS extraction workflow: evidence preservation, known- and unknown-passcode workflows, BFU, AFU, full filesystem and Logical+ extractions, and brute-forcing passcodes using the Axiom Wordlist Generator and Hashcat. This module also introduces Magnet Autokey, Magnet’s vehicle acquisition tool, including supported infotainment systems, vehicle artifacts, the vehicle acquisition workflow, and current Autokey availability.

Module 5: Android Fundamentals
Discussion-focused coverage of the Android operating system’s structure and security. Students will explore the Generic Kernel Image, Android file system and partitions, core Android security features, full-disk and file-based encryption, Android passcodes, and vendor-specific security features such as Samsung Secure Folder.

Module 6: Android Anti-Forensics
An awareness module focused on anti-forensic operating systems and applications, with particular attention to GrapheneOS — its privacy and security features, supported devices, data-wipe behaviors, and the handling and seizure considerations these devices introduce.

Module 7: Android Acquisitions Using Graykey
Hands-on work covering the full Android extraction workflow: evidence preservation, known- and unknown-passcode workflows, BFU Android devices, Download/Upload/Fastboot modes, and brute-forcing techniques (including multi-user brute-force).

Module 8: Graykey Outputs and Magnet Axiom
An overview of the different outputs produced by Graykey (BFU, AFU, full filesystem, selective, Logical+, process memory, keychain/keystore, password list, passcode history, progress report) and how to load these into Magnet Axiom Process and Examine for analysis.

Module 9: Analyzing iOS Extraction Types
A practical deep-dive into the artifacts available at each iOS extraction level — BFU, AFU, full filesystem, and Logical+ — using Axiom Examine. Students will locate and interpret artifacts such as Accounts, Apple Notes, Apple Mail, Significant Locations, Apple Maps, KnowledgeC, and cached locations.

Module 10: Analyzing Android Extraction Types
A practical deep-dive into the artifacts available at each Android extraction level (BFU and Full File System), with emphasis on mainstream data protection features such as Secure Folder, Dual Messenger, and Google Private Space.

Any questions?

Unit 15 Marston Business Park, Lower Hazeldines, Marston Moretaine, Bedfordshire, MK43 0XT

Contact us

We strive for the latest and greatest.

We are committed to staying at the forefront of innovation by continuously researching new techniques and solutions. If there's something specific you need that isn't listed on our website, please don’t hesitate to reach out—we’re here to help. We understand that important tasks often arise unexpectedly, and whenever possible, we’ll make every effort to accommodate urgent requests promptly and efficiently.

African american employee uses surveillance footage to monitor traffic
Contact Us

Want to know more about this course?
Contact us today.

Thank you!
Your submission has been received!
Oops! Something went wrong while submitting the form.