Module 1: Course Introduction
Review of the course outline, personal introductions, and the week-long case scenario that will be used throughout the training event. Students finish the module with a clear understanding of the structure of the course.
Module 2: Graykey Overview
An introduction to the Graykey device itself — covering hardware, licensing, capture and extraction settings, enhanced capabilities, and device preferences. This module also covers the full range of Graykey’s operational features, including Mobile Excursion, Crypto Triage, logical+, category-based extractions, and Magnet Graykey Fastrak.
Module 3: iOS Fundamentals
Discussion-focused coverage of the iOS operating system’s structure and security. Students will review the APFS file system, core Apple security hardware and firmware, device keys, the Secure Enclave, data protection classes, handset lock codes, and USB Restricted Mode.
Module 4: iOS Acquisitions Using Graykey
Hands-on work covering the full iOS extraction workflow: evidence preservation, known- and unknown-passcode workflows, BFU, AFU, full filesystem and Logical+ extractions, and brute-forcing passcodes using the Axiom Wordlist Generator and Hashcat. This module also introduces Magnet Autokey, Magnet’s vehicle acquisition tool, including supported infotainment systems, vehicle artifacts, the vehicle acquisition workflow, and current Autokey availability.
Module 5: Android Fundamentals
Discussion-focused coverage of the Android operating system’s structure and security. Students will explore the Generic Kernel Image, Android file system and partitions, core Android security features, full-disk and file-based encryption, Android passcodes, and vendor-specific security features such as Samsung Secure Folder.
Module 6: Android Anti-Forensics
An awareness module focused on anti-forensic operating systems and applications, with particular attention to GrapheneOS — its privacy and security features, supported devices, data-wipe behaviors, and the handling and seizure considerations these devices introduce.
Module 7: Android Acquisitions Using Graykey
Hands-on work covering the full Android extraction workflow: evidence preservation, known- and unknown-passcode workflows, BFU Android devices, Download/Upload/Fastboot modes, and brute-forcing techniques (including multi-user brute-force).
Module 8: Graykey Outputs and Magnet Axiom
An overview of the different outputs produced by Graykey (BFU, AFU, full filesystem, selective, Logical+, process memory, keychain/keystore, password list, passcode history, progress report) and how to load these into Magnet Axiom Process and Examine for analysis.
Module 9: Analyzing iOS Extraction Types
A practical deep-dive into the artifacts available at each iOS extraction level — BFU, AFU, full filesystem, and Logical+ — using Axiom Examine. Students will locate and interpret artifacts such as Accounts, Apple Notes, Apple Mail, Significant Locations, Apple Maps, KnowledgeC, and cached locations.
Module 10: Analyzing Android Extraction Types
A practical deep-dive into the artifacts available at each Android extraction level (BFU and Full File System), with emphasis on mainstream data protection features such as Secure Folder, Dual Messenger, and Google Private Space.
We are committed to staying at the forefront of innovation by continuously researching new techniques and solutions. If there's something specific you need that isn't listed on our website, please don’t hesitate to reach out—we’re here to help. We understand that important tasks often arise unexpectedly, and whenever possible, we’ll make every effort to accommodate urgent requests promptly and efficiently.
