Behind the Scenes of iOS Data Extraction: Exploring the Extraction Agent

February 9th, 2023 by Oleg Afonin
Category: «Mobile», «Tips & Tricks»

Discover the benefits of agent-based data extraction from iOS devices. Learn about the purpose and development of the extraction agent, when it can be used, and best practices. Get a comprehensive understanding of the cutting-edge approach for iOS data extraction.

The Extraction Agent: An Overview

The extraction agent represents a cutting-edge approach of extracting data from iOS devices. Initially developed as a safer and more reliable alternative to jailbreaking, agent-based extraction provides risk-free low-level access to the device and enables full file system extraction and keychain decryption. This method offers improved speed and accuracy while making no changes to system partitions and leaving minimal traces on the data partition. After the extraction, the agent can be easily and completely removed with one command, the only traces left on the device being several entries in the system event log.

To better explain the benefits of the extraction agent, let us look back several years. Back in the days, file system extraction and keychain decryption were largely carried out through publicly available jailbreaks. However, this approach was not ideal as it was risky to the device, posed a threat to the data integrity and was far from being forensically sound.

To address these issues, in early 2020 we developed an alternative solution. Instead of a jailbreak, this new approach utilizes a small app, the “extraction agent”. The agent combines all publicly known (and some in-house) exploits to escalate privileges, escape the iOS sandbox, access the file system, and decrypt the keychain content. Compared to jailbreak-based acquisition, the extraction agent offers numerous benefits, including increased safety, speed, and robustness.

How It Works

iOS employs numerous protections to keep apps within sandboxed space. Third-party and system apps can only access data in their own sandboxed space, and gain access to limited information explicitly shared by other apps. This, for example, means that the Files app, which is a system app introduced in iOS 11, cannot and does not have access to the full file system of the user data; in this example, users of the Files app won’t have direct access to files produced by e.g. Signal or Telegram messengers (unless the user opens the messenger app and shares a chat comment or attachment from within the messenger itself).

Low-level access to the file system is strictly forbidden to apps running in the user space. However, apps with a higher privilege level can access the entire file system, including files stored in other apps’ sandboxes. Obtaining a higher privilege level requires privilege escalation, which is not permitted by the iOS security model. For this reason the extraction agent obtains privilege escalation by exploiting kernel-level vulnerabilities in parts of the operating system. To do that, the agent packs a large number of publicly known (and some in-house) exploits. When launched on an iOS device, it detects the OS version and attempts to apply a compatible exploit. If successful, the extraction agent gains access to the file system and establishes a communication channel between the device and the expert’s computer, which in turn allows the expert to image the file system with iOS Forensic Toolkit.

Although the concept may seem straightforward, it is significantly more complex than meets the eye. A kernel exploit alone is not enough to access the file system, while decrypting keychain records always requires additional work. We strive to keep iOS Forensic Toolkit updated to allow both file system extraction and keychain decryption for all supported iOS releases without gaps and exclusions.

Better than checkm8?

The extraction agent works in a different manner and is supported on a different range of devices. While checkm8 extraction is compatible with devices built with certain Apple chips, the extraction agent is hardware-agnostic, even supporting devices based on Apple Silicon (M1) chips. On the other hand, the extraction agent supports a limited range of iOS versions, while checkm8 is mostly (but not entirely) OS agnostic.

checkm8: devices based A5…A11 chips; most iOS versions; does not work on A11 iPhones with iOS 16. Requires a Mac.

agent: devices based on any 64-bit hardware platform if running iOS 9 through iOS 15.5. Requires an Apple Developer account (or a Mac for a workaround).

The checkm8 extraction process is only available for older Apple devices that have a hardcoded vulnerability in their bootloaders. The newer chips starting with Apple A12 (the iPhone Xs/Xr generation) are not affected, which makes checkm8 extractions unavailable for those newer generations of devices.

For older devices that are compatible with checkm8, we recommend using the checkm8 extraction process. For newer devices, you won’t have such an option. Instead of targeting the hardcoded bootloader vulnerability that no longer exist in these newer devices, the extraction agent leverages kernel-level vulnerabilities in various parts of the operating system to escalate privileges, escape the sandbox, and access the device’s content at a low level.

Better than a backup?

iOS backups (and extended logical acquisition in general) are the most common way to access device data if no other extraction method is available. Logical extraction is safe, and allows access to a certain part of the data, with notable exclusions. For example, low-level extraction (checkm8 or agent) enables access to sandboxed app data for those apps that disabled backups (e.g. Mail, most instant messaging apps etc.) In addition, low-level extraction enables access to all system logs that are not included with backups. The logs, in turn, may contain records of important events, locations, and more.

Backup: all iPhone and iPad devices regardless of their hardware and iOS version; compatible with Windows and Mac. Screen lock passcode required to pair the device to the computer and/or reset backup password if one is enabled (important consequences arise).

agent: devices based on any 64-bit hardware platform if running iOS 9 through iOS 15.5. Requires an Apple Developer account (or a Mac for a workaround). Screen lock passcode required to establish pairing relationship with the computer.

The Current State of Agent-Based iOS Extraction

The extraction agent is currently compatible with all iOS releases up to iOS 15.5 on all iOS/iPadOS devices. Windows users require an Apple Developer account to use the agent, while macOS users are recommended to have one. To perform an extraction, the device’s screen lock password must be known or absent. If the device is running a compatible version of iOS and the screen lock password is known, it is highly recommended to use the iOS Forensic Toolkit extraction agent for all data extractions.

The Practical Guide

There are several steps to using the extraction agent. First, make sure you want to use the agent as opposed to (or in addition to) other extraction methods:

During the second step you’ll need to sideload (install) the extraction agent on the iOS device being extracted. This is a somewhat more complex process than it seems, and you may need to enroll your Apple account into Apple Developer Program. If you have a developer account with Apple, sideloading the extraction agent is easy. If you don’t, you’ll have to use a risky workaround.

If you managed to sideload the extraction agent, launch it on the device by tapping its icon, and keep the app running in the foreground until the extraction is finished. The extraction steps are described in the following short manual:

Finally, remove the extraction agent by either uninstalling it from the device in a regular way or by issuing a command (refer to the Cheat Sheet above).

More on Installing the Extraction Agent

We mentioned the installation of the extraction agent; let’s talk about it in some more detail.

Apple restricts its mobile ecosystem to apps distributed through the company’s App Store. For obvious reasons, Elcomsoft low-level extraction agent is not available in the App Store, and will never be. A workaround must be used to sideload the extraction agent onto an Apple device being investigated.

Option 1: Developer Account

Developers use an alternative method of sideloading apps without having to submit them to App Store. This method requires becoming a registered developer by enrolling an Apple ID into Apple’s developer program. You can enroll online or through the Apple Developer App installed on your (not the suspect’s) iOS device.

If you opt for this option, you can sideload the extraction agent from Mac or Windows computers. This is not the case if you opt for a workaround.

Option 2: Workaround

For various reasons, you may prefer using a personal, non-developer Apple ID for sideloading the extraction agent. iOS Forensic Toolkit enables you to do so by using a workaround, but only in the Mac edition of the tool. The workaround has certain risks and limitations. Once the extraction agent is sideloaded onto the iOS device using a workaround, you cannot launch it immediately. Because it is not signed with a developer account, you will have to validate its signing certificate before you can run the agent app and perform the extraction, which in turn requires an Internet connection. Allowing the device connecting to the Internet poses significant risks, which you may attempt to mitigate by following the guide iOS Low-Level Acquisition: How to Sideload the Extraction Agent.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »