AX301 Graykey / AXIOM

This course is an intermediate-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to expand their knowledge base into deep iOS examinations and the use of the GrayKey device.

Students will get hands-on use of the GrayKey device and learn how to fully operate it — including how to establish a proper workflow for handing iOS devices in the field to the lab and how to acquire a full file system image of iOS devices.

Magnet AXIOM will also be leveraged to learn how the iOS filesystem is structured, how to locate key data, and how artifacts are structured. In addition, students will learn about artifacts specific to the iOS full file system and its multiple levels of data protection. Third-party artifact analysis of several advanced, secure artifacts will be covered, including how the device keychain ties into these artifacts. A methodology will be discussed on how to conduct deep-level iOS examinations and how to understand specific operating system artifacts in context to show device interactions over time. Students will learn how to put someone behind a device physically interacting with it, and even sometimes where that device has been.

Course Modules


  • Cover the basic prerequisites for both the AXIOM software and GrayKey unit.


  • Discussion-focused coverage of the iOS operating system’s security functions and structure.
  • Learn about device protection class keys, understanding the handset lock codes and their function, as well as other functions of the operating system.


  • Covering all the options and settings of the GrayKey unit in order to successfully and efficiently operate the device to extract information from iOS devices.
  • Information about the latest versions of iOS will be discussed.
  • Learn how to gain access to information previously unavailable by most forensic techniques.
  • See how to extract information from devices that are still passcode-locked as well as techniques to deal with the bypassing of the passcodes standing in their way.


  • Compare the different types of extractions that can be generated with the GrayKey units, what examiners can expect to find in each type, and how this information can help further investigations in multiple ways.
  • Learn how to explore key artifacts available in these different image types, exclusive to the GrayKey style of data extraction, and how to build methodologies to attempt more efficient passcode cracking.


  • Understand the multiple ways to ingest information and develop a proper workflow for ingesting information from GrayKey extractions.
  • Learn about several AXIOM functions such as Dynamic App Finder, Search for Custom Files by Type, and how to target secure messaging applications.


  • Explore multiple artifacts, including deep diving into artifacts that are core to the iOS file system — core artifacts will be explored in depth including techniques for recovering deleted information from these databases.
  • Advanced file system artifacts such as PowerLog and KnowledgeC will be covered to talk about application usage times and data amounts. These and other artifacts will be explored to show examiners how to track when targets are interacting physically with a device in a specified timeframe.
  • Exclusive file system artifacts such as location history, third party applications, and more will also be explored.

Additional Information

Who Should Attend: Participants who are unfamiliar with the principles of digital forensics
Advanced Preparation: None
Program Level: Advanced-level
Field of Study: Computer Software & Applications
Delivery Method: Group Live 32 Hours CPE

Magnet Forensics is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its

WHEN: April 26 – April 29, 2022
This course is taught by Magnet Forensics and is a four day course. THIS IS A LAW ENFORCEMENT ONLY CLASS

COST: $1,995 US Dollars

Cancellation of this class may occur if there are insufficient students registered. In the event of a cancellation, personnel will typically be notified by email within 48 hours of the registration closure date. IACIS is not responsible for any individual expenses incurred as a result of a cancellation. The limit of IACIS financial liability is a full refund of the course fee.


Existing IACIS members simply log in with your credentials and go to the Products page to purchase and register for the course.

For non-IACIS members, the membership fee is waived with the purchase of the training course; however, to register for the course you must complete a membership application at the time of purchase. Purchase training course HERE.

****Payment MUST BE RECEIVED at least 45 days prior to the first day of class. Any payment arrangements other than payment through the website or payment via invoice must be approved by the IACIS Treasurer prior to admittance into the course. Please contact the treasurer for questions and approval (

Cancellations within 45 days from the start of class to 31 days from the start of class will be subject to a $150 cancellation fee. There will be no refunds within 30 days from the start of class.****

* On-Site Check-in Times (student pickup of equipment, ID card, IACIS info) are:

             Sunday, April 24, 2022 : 1800 – 2100

             Tuesday, April 26, 2022: 0700 – 0800

* Please make arrangements to arrive in time to check-in so that you may be in class promptly the first day.


Please read the following notes regarding this class:

  1. Classes begin at 8:00 AM ET and conclude at 5:00 PM ET, each day, with a one hour lunch break. Classes will end at 4:00 PM ET on the last day of class. Please do not arrange for departing flights prior to 7:00 PM ET to allow time for travel to the airport and any security clearances.
  2. The dress code for the conference is business casual (collared shirts and slacks).The wearing of shorts, flip flops, tank tops, etc. is not allowed in the classroom. Personal computers are not permitted in the classroom. Students are required to attend all classes to successfully complete the program. Students who fail to meet the attendance requirements will not be issued a certificate at the conclusion of the program.


The course will be taught at the Caribe Royale Hotel, 8101 World Center Drive, Orlando, Florida 32821 (USA).  This hotel is 16 miles from the Orlando International Airport, it has a large pool, spacious workout facility and is close to Disney World and Universal Studios.

Book via the Caribe Royale Hotel site here.

Or book via phone by calling the following numbers:

Reservations Toll Free: 1-800-823-8300/1-888-258-7501 or our local number 407-238-8000.

Availability to book your stay is from now until 4/16/2022 or until hotel is sold out.

Dates of stay the rates are good for now until 5/12/2022 or until hotel is sold out.


If IACIS is unable to hold their 2022 Orlando training event, then all students who have registered and paid, will have the option of a full refund or a reserved seat at the 2023 training event.  IACIS is not responsible for any outside expenses (e.g. travel and accommodation) in the event of the training event being cancelled. Anyone who paid for training will receive complimentary membership through the year that his/her training takes place.