Product Features

Loading GrayKey Images into Magnet AXIOM

For the last few years now, most forensic examinations of iOS devices were limited to data only available in an iTunes backup and only if you had the user’s passcode. Sure, you may have gotten the odd jailbroken device, but it typically didn’t matter whether you had a ten thousand-dollar commercial forensics tool or a free acquisition tool like Magnet ACQUIRE, you were getting the same thing, an iTunes backup. If you didn’t have the user’s passcode, you weren’t getting anything, so a backup was better than nothing.

Enter Grayshift, the makers of GrayKey, a tool which allows law enforcement to crack the user’s passcode, bypassing the Data Protection delay and getting access to the entire file system of the latest iPhones. This not only provided examiners with access to devices that were previously inaccessible due to not having the passcode but also gave them access to iOS data that hasn’t been available in years due to the limited data available via iTunes backups.

GrayKey is only an acquisition tool, meaning it will crack the passcode and extract the data from the device, but it doesn’t assist with any analysis. Data acquired via a GrayKey extraction is outputted into 3 zip containers (backup.zip, files.zip, mem.zip), and a keychain.plist. Magnet AXIOM can then be used for analysis of these files.

GrayKey Output

The backup.zip contains similar information but is structured much like an iTunes backup making it more familiar to examiners and tools who are used to handling iTunes backups. Examiners can also load this into AXIOM but there is significantly less data in the backup.zip than the files.zip so while there is valuable information in there, all this data and much more is in the files.zip, so it’s recommended loading the files.zip image into AXIOM.

GrayKey Main File

The backup.zip contains similar information but is structured much like an iTunes backup making it more familiar to examiners and tools who are used to handling iTunes backups. Examiners can also load this into AXIOM but there is significantly less data in the backup.zip than the files.zip so while there is valuable information in there, all this data and much more is in the files.zip, so it’s recommended loading the files.zip image into AXIOM.

GrayKey Folder Structure

The next container is mem.zip. This is actually a memory dump of the iOS device. I don’t believe anyone has been able to acquire a memory dump of an iOS device prior to this so the availability of this as evidence is quite exciting. Memory acquisition on Android can be done but as it requires a phone restart, the investigative value is minimal. In this case, the iOS memory dump contains valuable information and should definitely be loaded into AXIOM as well.

Finally, the last file is the keychain.plist. Most examiners are familiar with the iOS keychain as it contains the user accounts, passwords, and keys for many of the apps that the user has saved or used which can also be valuable for investigators wanting to authenticate to cloud sources or otherwise. The keychain that GrayKey creates is slightly different than the one you would get in an iTunes backup or found natively on a jailbroken device. The keychain found in the file system is actually a SQLite database and hasn’t always been available due to limitations in acquisitions prior to this. The keychain in an iTunes backup is also a plist but is formatted differently so we’ve added specific support for the GrayKey keychain.plist in AXIOM.

To load GrayKey images into AXIOM, you can follow the same path as most other iOS images by going Mobile -> iOS -> Load Evidence -> Image and then choosing the files.zip first. Next, load the mem.zip in the same manner. No need to load backup.zip as files.zip contains everything in the backup. Finally, load the keychain in a similar manner but instead of loading it as an image, load it as a file (Mobile -> iOS -> Load Evidence -> Files & Folders).

Loading GrayKey into AXIOM

Once loaded you can choose whatever options and artifacts you wish to include in AXIOM for your given investigation. One feature that may help get additional data that otherwise wouldn’t be included in an artifact is the Dynamic App Finder (DAF).

Dynamic App Finder

Under “Find more artifacts”, you can enable DAF and it will automatically search through the image for SQLite databases that may contain potential chat, geolocation, or contact information. This can be helpful for any applications or data that can’t already be found in an existing artifact. For GrayKey images, this will identify additional data in the file system and memory images.

Once everything is loaded and options are selected, you can process the case just like any other and view the results in AXIOM Examine.

Viewing results in AXIOM