iOS Forensic Toolkit 8 brings new powerful user experience based on the command line. While this approach offers experts full control over the extraction process, mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to extract the file system and decrypt the keychain of a compatible iPhone or iPad device.

Introduction

Low-level extraction can be done differently. For older hardware, the checkm8 extraction delivers the cleanest results; our solution is unrivaled in providing truly forensically sound extractions for all compatible devices, which include a number of iPhone, iPad, Apple Watch and Apple TV devices. checkm8 extractions are great, but they aren’t compatible with newer devices. To deliver low-level extraction for newer iPhones and iPads, we developed an in-house extraction agent that comes as close to being forensically sound as possible. This method is highly dependent on kernel exploits, which are extremely difficult to implement. This is why low-level extraction almost never comes to the current, up-to-date and fully patched versions of iOS. For newer models starting with iPhone Xr/Xs, using the extraction agent is the only way to extract the file system and decrypt the keychain.

What is an extraction agent?

The extraction agent is an app sideloaded to the iPhone being extracted. The app establishes a communication channel between the device and the computer, escalates privileges, and gains access to the file and the encryption keys required to decrypt the content of the keychain.

Agent-based low-level extractions deliver the cleanest experience for newer devices without checkm8 support. While the process is not fully forensically sound, the modifications made to the data are minimal. Once the extraction agent is uninstalled, the only traces left on the device are several records representing agent-related events in the device’s diagnostic logs.

Extraction agent cheat sheet

Note: we recommend using a USB 3.0 port to speed up the extraction of certain devices.

On the computer, launch iOS Forensic Toolkit.

Connect the iPhone to the computer.

Once the iPhone is connected to the computer, you will be prompted to establish trust between the device and the computer. On the device, confirm the pairing prompt and enter the screen lock passcode.

If the device was not automatically paired, you will need to manually pair the device to the computer by running the following command:

./EIFT_cmd normal pair

Sideload the extraction agent onto the device by running the following command:

./EIFT_cmd agent install

On the iPhone: if you are using a non-developer Apple ID to sideload the agent, validate the signing certificate on the iPhone. (Note: this requires an active internet connection and carries certain security risks).

If an error message pops up (e.g. “all exploits failed”), restart the iPhone.

On the computer:

./EIFT_cmd agent keychain -o keychain.xml

./EIFT_cmd agent tar -o data.tar

Only if suspecting root-level malware:

./EIFT_cmd agent tar –system -o system.tar

On the computer (uninstall the extraction agent):

./EIFT_cmd agent uninstall

Alternatively, you may uninstall the extraction agent from the device by long-pressing its icon and deleting the app.

Installing the extraction agent

The extraction agent is an iOS app that must be sideloaded (installed) onto the iOS device. Note: if a previous version of the extraction agent is already installed, remove it from the device as you would uninstall any other app.

When installing the extraction agent, the iPhone must be unlocked and paired to the computer.

Sideloading the extraction agent requires an Apple ID login and password. We strongly recommend using an Apple ID account enrolled in Apple Developer Program. If you use a regular, non-developer account, you will need to validate the agent’s signing certificate on the iPhone, which requires an active internet connection and brings the associated security risks

Pair the iPhone to the computer before sideloading the extraction agent. The pairing prompt is usually displayed automatically when you connect the iPhone to the computer. Confirm the pairing prompt and type the screen lock passcode on the device. If for any reason no pairing is established, run the following command:

./EIFT_cmd normal pair

On the iPhone: confirm pairing request and enter screen lock password when prompted.

Install the extraction agent by running the following command on the computer:

./EIFT_cmd agent install

You will be prompted for Apple ID credentials (login, password, and one-time code for passing two-factor authentication). A developer account is strongly recommended. If you use a regular, non-developer account, you will need to validate the agent’s signing certificate on the device before you can launch the app. This in turn requires an active internet connection, placing the device at risk of unwanted synchronization and/or remote lock or remote erase. When using an Apple ID enrolled in Apple’s Developer Program, this check can be skipped, and the device can be kept offline.

Using the extraction agent

The extraction agent enables full file system extraction from all supported devices, as well as keychain decryption on select supported devices.

To use the extraction agent, install (sideload) the agent onto the iOS device according to the instructions, then touch its icon to launch the app. Make sure to keep the app open in foreground at all times during the extraction; do not switch to any other apps.

The extraction agent will automatically attempt to obtain elevated privileges. Since the agent uses unofficial exploits, on rare occasions the device may reboot. If this happens, wait until the device fully boots, unlock it, and run the agent app again. There is no need to reinstall the agent.

Keychain decryption

Extract the keychain into a file named keychain.xml:

./EIFT_cmd agent keychain -o keychain.xml

File system image

The extracted file system image is saved into a .tar archive. The process may take a while depending on the size of the file system. Make sure the agent app is open and runs in the foreground during the entire extraction.

The following command extracts and saves a file system image from the device into a file named “data.tar”. Only the user data will be copied.

./EIFT_cmd agent tar -o data.tar

You can also extract the system partition. Generally, you would only need to do it if you suspect that a rootkit or other system-level malware on the device.

./EIFT_cmd agent tar --system -o system.tar

Please note that you would normally only need to extract the data and not the system partition.

Finally, uninstall the extraction agent by either doing it regularly on the device or running the following command:

./EIFT_cmd agent uninstall

Alternatively, you may uninstall the extraction agent from the device by long-pressing its icon and deleting the app.

Extraction steps explained

When sideloading the extraction agent, we strongly recommend using an Apple ID registered in the Apple’s Developer Program. This allows keeping the device offline and disconnected from the network. If you must use a regular Apple ID, you will need to validate the signing certificate in the device settings, which in turn requires an active internet connection. If this is the case, make sure to configure a firewall to whitelist access to Apple signing services only. More in Extracting iPhone File System and Keychain Without an Apple Developer Account.

1. Download and install the latest version of Elcomsoft iOS Forensic Toolkit.
2. Launch iOS Forensic Toolkit on your computer.
3. Connect and pair the iOS device ./EIFT_cmd normal pair
4. Install the extraction agent ./EIFT_cmd agent install
   You will need an Apple ID (preferably enrolled in Apple’s Developer Program) with a login, password, and one-time two-factor authentication code to sideload the agent app.
5. If you used a regular, non-developer Apple ID, validate the signing certificate on the iPhone. This step is not needed when using a developer account.
6. Launch the extraction agent by tapping its icon. Keep the agent running in the foreground during the rest of the extraction process.
7. Extract and decrypt the keychain ./EIFT_cmd agent keychain -o keychain.xml
8. Extract user data ./EIFT_cmd agent tar -o data.tar
9. Optional: if suspecting malware or rootkit, extract system data ./EIFT_cmd agent tar –system -o system.tar
10. Uninstall the extraction agent regularly or by running ./EIFT_cmd agent uninstall

Conclusion

The extraction agent is a software-based low-level extraction solution available in iOS Forensic Toolkit for iPhone and iPad devices running compatible versions of iOS. We actively develop the extraction agent, planning full support for iOS 15.5 and lower (including keychain decryption) in near future.