AX220 Axiom iOS Filesystem Analysis
This course is an intermediate-level two-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to expand their knowledge base into deep iOS file system examinations. You can purchase training classes directly online using a credit card or if payment by purchase order is required, please request a quotation from sales@magnetforensics.com.
Description
AX302 has been renamed to AX220.
This course is an intermediate-level two-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to expand their knowledge base into deep iOS file system examinations.
In this course, students will learn about key artifacts available only to the file system level extractions and not available in traditional backup style acquisition methods. These artifacts include activity tracking points such as PowerLog and KnowledgeC as well as several sources of location data from the device. Students will learn about Apple’s security measures that are in place and discuss how they can impact acquiring different levels of file system extractions.
Several methods will be discussed to understand the pros and cons of using each of these methodologies appropriately. Magnet Axiom will also be leveraged to learn how the iOS filesystem is structured, how to locate key data, and how artifacts are structured. In addition, students will learn about artifacts specific to the iOS full file system and its multiple levels of data protection. Third-party artifact analysis of several advanced, secure artifacts will be covered, including how the device keychain ties into these artifacts. A methodology will be discussed on how to conduct deep-level iOS examinations and how to understand specific operating system artifacts in context to show device interactions over time. Students will learn how to put someone behind a device physically interacting with it, and even sometimes where that device has been.
Course prerequisites
Because AX220 is an intermediate-level course, it is strongly recommended that students first complete Magnet Axiom Examinations (AX200). AX200 will provide a thorough understanding of Axiom that will help students focus on the cloud aspect of investigations in AX220.
Course modules
Module 1: Course introduction
- Cover the basic prerequisites for Magnet Axiom
Module 2: Understanding iOS and Apple’s security
- Discussion-focused coverage of the iOS operating system’s security functions and structure.
- Learn about device protection class keys, understanding the handset lock codes and their function, as well as other functions of the operating system.
Module 3: Device image types & filesystem acquisitions
- Compare the different methods in the industry currently to extract filesystem images of iOS devices.
- Compare the different levels of filesystem images that can be acquired before and after the entering of the user’s handset lock code. Learn how to explore key artifacts within these different extraction types.
Module 4: Importing data in Magnet Axiom
- Understand the multiple ways to ingest information and develop a proper workflow for ingesting information from filesystem extractions.
- Learn about several Axiom functions such as Dynamic App Finder, Search for Custom Files by Type, and how to target secure messaging applications.
Module 5: Exploring artifacts in Magnet Axiom
- Explore multiple artifacts, including deep diving into artifacts that are core to the iOS file system – core artifacts will be explored in depth including techniques for recovering deleted information from these databases.
- Advanced file system artifacts such as PowerLog and KnowledgeC will be covered to talk about application usage times and data amounts. These and other artifacts will be explored to show examiners how to track when targets are interacting physically with a device in a specified timeframe.
- Exclusive file system artifacts such as location history, third party applications, and more will also be explored.
Additional information
Who should attend: Participants who are unfamiliar with the principles of digital forensics
Advanced preparation: None
Program level: Intermediate-level
Field of study: Computer software & applications
Delivery method: Group internet based
Refunds and cancellations: Training Course(s) can be rescheduled to a later date or cancelled by either Magnet Forensics or you without charge or penalty if written notice is received twenty-one (21) days or more prior to the date of the Training Course. No rescheduling shall be permitted on less than twenty-one (21) days written notice, which shall constitute a cancellation without a refund. Your written rescheduling or cancellation notice must be emailed to training@magnetforensics.com or contact 226-499-8962. If Magnet Forensics cancels a Training Course due to insufficient attendance, you will have the option to register in a different scheduled Training Course or receive a full refund. Please do not book travel until you have confirmed that the Training Course will be running.
Magnet Forensics is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website:www.nasbaregistry.org.