iOS Forensic Toolkit 8 brings new powerful user experience based on the command line. While this approach offers experts full control over the extraction process, mastering the right workflow may become a challenge for those unfamiliar with command-line tools. In this quick-start guide we will lay out the steps required to extract the file system and decrypt the keychain of a compatible iPhone or iPad device.
Low-level extraction can be done differently. For older hardware, the checkm8 extraction delivers the cleanest results; our solution is unrivaled in providing truly forensically sound extractions for all compatible devices, which include a number of iPhone, iPad, Apple Watch and Apple TV devices. checkm8 extractions are great, but they aren’t compatible with newer devices. To deliver low-level extraction for newer iPhones and iPads, we developed an in-house extraction agent that comes as close to being forensically sound as possible. This method is highly dependent on kernel exploits, which are extremely difficult to implement. This is why low-level extraction almost never comes to the current, up-to-date and fully patched versions of iOS. For newer models starting with iPhone Xr/Xs, using the extraction agent is the only way to extract the file system and decrypt the keychain.
The extraction agent is an app sideloaded to the iPhone being extracted. The app establishes a communication channel between the device and the computer, escalates privileges, and gains access to the file and the encryption keys required to decrypt the content of the keychain.
Agent-based low-level extractions deliver the cleanest experience for newer devices without checkm8 support. While the process is not fully forensically sound, the modifications made to the data are minimal. Once the extraction agent is uninstalled, the only traces left on the device are several records representing agent-related events in the device’s diagnostic logs.
Note: we recommend using a USB 3.0 port to speed up the extraction of certain devices.
On the computer, launch iOS Forensic Toolkit.
Connect the iPhone to the computer.
Once the iPhone is connected to the computer, you will be prompted to establish trust between the device and the computer. On the device, confirm the pairing prompt and enter the screen lock passcode.
If the device was not automatically paired, you will need to manually pair the device to the computer by running the following command:
./EIFT_cmd normal pair
Sideload the extraction agent onto the device by running the following command:
./EIFT_cmd agent install
On the iPhone: if you are using a non-developer Apple ID to sideload the agent, validate the signing certificate on the iPhone. (Note: this requires an active internet connection and carries certain security risks).
If an error message pops up (e.g. “all exploits failed”), restart the iPhone.
On the computer:
./EIFT_cmd agent keychain -o keychain.xml ./EIFT_cmd agent tar -o data.tar
Only if suspecting root-level malware:
./EIFT_cmd agent tar –system -o system.tar
On the computer (uninstall the extraction agent):
./EIFT_cmd agent uninstall
Alternatively, you may uninstall the extraction agent from the device by long-pressing its icon and deleting the app.
The extraction agent is an iOS app that must be sideloaded (installed) onto the iOS device. Note: if a previous version of the extraction agent is already installed, remove it from the device as you would uninstall any other app.
When installing the extraction agent, the iPhone must be unlocked and paired to the computer.
Sideloading the extraction agent requires an Apple ID login and password. We strongly recommend using an Apple ID account enrolled in Apple Developer Program. If you use a regular, non-developer account, you will need to validate the agent’s signing certificate on the iPhone, which requires an active internet connection and brings the associated security risks
Pair the iPhone to the computer before sideloading the extraction agent. The pairing prompt is usually displayed automatically when you connect the iPhone to the computer. Confirm the pairing prompt and type the screen lock passcode on the device. If for any reason no pairing is established, run the following command:
./EIFT_cmd normal pair
On the iPhone: confirm pairing request and enter screen lock password when prompted.
Install the extraction agent by running the following command on the computer:
./EIFT_cmd agent install
You will be prompted for Apple ID credentials (login, password, and one-time code for passing two-factor authentication). A developer account is strongly recommended. If you use a regular, non-developer account, you will need to validate the agent’s signing certificate on the device before you can launch the app. This in turn requires an active internet connection, placing the device at risk of unwanted synchronization and/or remote lock or remote erase. When using an Apple ID enrolled in Apple’s Developer Program, this check can be skipped, and the device can be kept offline.
The extraction agent enables full file system extraction from all supported devices, as well as keychain decryption on select supported devices.
To use the extraction agent, install (sideload) the agent onto the iOS device according to the instructions, then touch its icon to launch the app. Make sure to keep the app open in foreground at all times during the extraction; do not switch to any other apps.
The extraction agent will automatically attempt to obtain elevated privileges. Since the agent uses unofficial exploits, on rare occasions the device may reboot. If this happens, wait until the device fully boots, unlock it, and run the agent app again. There is no need to reinstall the agent.
Keychain decryption
Extract the keychain into a file named keychain.xml:
./EIFT_cmd agent keychain -o keychain.xml
File system image
The extracted file system image is saved into a .tar archive. The process may take a while depending on the size of the file system. Make sure the agent app is open and runs in the foreground during the entire extraction.
The following command extracts and saves a file system image from the device into a file named “data.tar”. Only the user data will be copied.
./EIFT_cmd agent tar -o data.tar
You can also extract the system partition. Generally, you would only need to do it if you suspect that a rootkit or other system-level malware on the device.
./EIFT_cmd agent tar --system -o system.tar
Please note that you would normally only need to extract the data and not the system partition.
Finally, uninstall the extraction agent by either doing it regularly on the device or running the following command:
./EIFT_cmd agent uninstall
Alternatively, you may uninstall the extraction agent from the device by long-pressing its icon and deleting the app.
When sideloading the extraction agent, we strongly recommend using an Apple ID registered in the Apple’s Developer Program. This allows keeping the device offline and disconnected from the network. If you must use a regular Apple ID, you will need to validate the signing certificate in the device settings, which in turn requires an active internet connection. If this is the case, make sure to configure a firewall to whitelist access to Apple signing services only. More in Extracting iPhone File System and Keychain Without an Apple Developer Account.
The extraction agent is a software-based low-level extraction solution available in iOS Forensic Toolkit for iPhone and iPad devices running compatible versions of iOS. We actively develop the extraction agent, planning full support for iOS 15.5 and lower (including keychain decryption) in near future.
Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.
Elcomsoft iOS Forensic Toolkit official web page & downloads »