A Comprehensive Instruction Manual on Installing the Extraction Agent

December 27th, 2023 by Oleg Afonin
Category: «General»

This guide covers the correct installation procedure for Elcomsoft low-level extraction agent, an integral part of iOS Forensic Toolkit that helps extracting the file system and keychain from supported iOS devices. This instruction manual provides a step-by-step guide for setting up a device and installing the extraction agent. We’ve included suggestions from troubleshooting scenarios and recommendations we derived during testing.

Introduction

This manual emerged from a series of events triggered by broken usage experience for some customers. The issue arose when attempting to access the phone’s file system right after extracting the keychain, leading to immediate reboots or sporadic connection losses. Surprisingly, after successful keychain extraction, re-applying the exploit was not feasible. Moreover, unclean reboots due to kernel panic caused a filesystem rollback, which introduced new issues on its own. As similar issues persisted, we were able to reproduce this behavior, and created a solution.

Prerequisites

Before initiating the installation process, ensure the following prerequisites are met:

  • Computer date/time and online connectivity: Ensure that the date and time settings on the computer are accurate, and the computer is connected to the internet.
  • Non-developer Apple accounts: Note that currently, non-developer accounts can only be used for sideloading the extraction agent on macOS systems. Consequentially, you will need the Mac edition of iOS Forensic Toolkit if you are using a non-developer account.
  • Establish trusted relationships (before agent installation): Verify and establish trusted relationships between the phone and computer before installing the extraction agent.
  • Recommended USB-C cable: We recommend using a USB-C cable. While not critical for sideloading and signing purposes, using this cable is beneficial for subsequent extractions.

Preparing the device

To ensure smooth installation and subsequent operation of the extraction agent, ensure that the device you are installing it on has sufficient charge and is correctly configured.

  • Check date and time on the phone
    • Ensure that the date and time on your phone are accurate. If needed, adjust them to the current time. This step is crucial for the correct installation, signing, and validation of the extraction agent.

Installing the extraction agent

Next, sideload the extraction agent onto the iOS device, but don’t run it just yet.

  • Install the extraction agent (do not run it yet)
    • Install the extraction agent on the device but refrain from launching it at this stage.
  • Restart the phone
    • Perform a clean restart of the phone (clean power off and reboot).

Note: If you don’t do the reboot and the device panics, the pairing records or even the agent app itself may become corrupted due to unclean reboot. You may need to re-install the agent app if that happens.

Configuration and connectivity

Depending on the type of the Apple ID account, you may need to validate the agent’s digital signature before the first launch; otherwise you won’t be able to run it. This process occurs on the device being investigated, and requires connecting the device to an Apple signing server, which in turn poses a set of known risks we’ve discussed in Installing the Extraction Agent.

Note: this chapter only applies if you need to have the agent’s digital signature validated when using a regular/non-developer Apple ID for agent signing. Apple developer accounts created before June 2021 waive this requirement.

  • Connect to hardware firewall / Mac with firewall script
  • Verify agent signature via device settings
    • Navigate to “Settings -> General -> VPN and Device Management.”
    • Verify the digital signature of the extraction agent. Do not launch the agent yet; this step is solely to confirm the application’s signature.
  • Restart the phone again
    • Perform another clean reboot of the phone.
  • Launch extraction agent on the phone
    • Tap the agent app on the phone home screen to launch it. If prompted for “Developer Mode”, proceed to the next step.
  • Enable Developer Mode (if prompted)
    • Navigate to “Settings -> Privacy and Security -> Developer Mode.”
    • Activate Developer Mode (this might require another reboot of the device).
  • Confirm developer mode activation (only if enabling Developer Mode):
    • After the reboot, verify that Developer Mode is successfully enabled on your device.

Using the extraction agent

At this point, you can finally launch the extraction agent:

  • Run the extraction agent
    • Launch the extraction agent on the device by tapping its app icon on the home screen.
  • Disconnect from firewall (if used) and connect to computer
    • If you were using a hardware firewall, disconnect your phone from it and reconnect it to the computer.
  • Start EIFT and follow instructions
    • Run iOS Forensic Toolkit on your computer and proceed.

Notes and recommendations

  • File system integrity and device panic
    • Device panic causes unclean reboots. If you experience a device panic, the file system may be rolled back to a state prior to the panic to avoid corruption issues.
  • Rollback impact on extraction agent
    • Be aware that a rollback following an exploit might affect the functionality of the agent app and/or cause the pairing record to disappear. A clean reboot of the device between major steps helps to minimize potential issues.
  • Reinstalling the extraction agent
    • In case of corrupted records or application issues post-device panic, you may need to reinstall the agent app.

Following these steps should ensure a smooth setup and operation of the low-level extraction agent, minimizing the risk of potential cloud, device, and application-related problems.

Note: This manual is based on specific user experiences and testing scenarios. Adjustments may be necessary based on individual device configurations or software versions.

Final notes

Not following the above instructions may result in unexpected behavior. The symptoms may include the agent launching, successful exploit execution, smooth keychain retrieval, but encountering an unexpected disruption at the file system extraction stage.

Please also note that the latest release of iOS Forensic Toolkit changed the behavior of the “-o” parameter following the “keychain/tar” command. The “-o” option should now denote a folder name, not a file name. File names are automatically assigned based on the device’s UDID and date/time.

Finally, it’s worth noting that both the image and keychain can be further loaded for analysis into Cellebrite Physical Analyzer (a topic that will be covered in a separate article).


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »