أكتوبر 26, 2023 / By Wael Alnahari / in الطب الشرعي الرقمي
In this tutorial, we will address common issues faced by users of the iOS Forensic Toolkit when installing and using the low-level extraction agent for accessing the file system and keychain on iOS devices. This troubleshooting guide is based on the valuable feedback and data received by our technical support team.
In this guide, we won’t dive into the inner workings of the extraction agent, which leverages known vulnerabilities to elevate privileges in Apple iOS. Instead, we’ll focus on what to do when you encounter a difficulty installing or using the extraction agent.
First, let us cover the two most common mistakes our users regularly make when using the extraction agent.
Before you start sideloading and using the extraction agent, make sure to perform all of the following checks.
Compatibility check: iOS version
The extraction agent supports a wide range of iOS releases. Before you begin, get the exact version of iOS installed on the device, and check it against the iOS Forensic Toolkit compatibility list. Make sure that the version of iOS Forensic Toolkit you are using supports the version of iOS installed on the device.
Important: We are continually working on expanding the list of supported iOS versions for the extraction agent. You may find that your installed version of iOS Forensic Toolkit does not support a given iOS build, while a newer version does. If this is the case, you will need to update iOS Forensic Toolkit to the latest version.
Date and time on the target device
When launching the extraction agent, iOS checks if its digital signature is valid. If the device has been deeply discharged, its time and date settings may be way off, which will cause the verification to fail.
Solution: Set the correct date and time in the device’s settings. You may need to reinstall the extraction agent.
Check device pairing
Ensure that the target device is correctly paired to the computer. To do that, run the following two commands:
EIFT_cmd normal unpair EIFT_cmd normal pair
Disable Internet sharing after signing the extraction agent
Do not forget to disable internet sharing after signing the agent app.
If you forget to disable internet sharing from your computer after signing the agent on the target device, there’s a risk of data loss due to receiving a command for remote locking or remote device wipe during operation.
Do not use VPN or proxy when signing the extraction agent
Signing the extraction may fail if the computer has an active VPN or proxy connection. Disable VPN and proxies when signing the extraction agent.
Use USB Type-C to Lightning cable
While checkm8 extraction usually requires a USB-A to Lightning cable, agent-based extraction works better with a certified USB Type-C to Lightning cable. We found that using Type-C to Lightning cables delivers extractions that are both faster and more reliable.
In this section, we’ll cover the common problems that may arise during the installation and usage of the extraction agent and iOS Forensic Toolkit.
“Insufficient Permissions” or “Not Found” errors
If you receive the “Insufficient Permissions” error when running iOS Forensic toolkit or the firewall script, this can mean that the tool had not been correctly installed on the computer. These problems can be broken down into the following cases.
The xattr command was not run correctly
To fix this issue, follow these steps:
iOS Forensic Toolkit folder is located on the desktop
Solution: Move EIFT to a different location, such as the local Applications folder.
Shell does not have full disk access permissions
You must grant full access permissions to the OS shell.
Misconfigured Internet sharing for USB devices
Typically, the problem arises from selecting the wrong internet source. Sometimes, more than one iPhone/iPad connection may appear in the list.
Solution: You need to manually identify the correct connection, often through trial and error, using a designated test device.
The firewall is running, tested OK, but sideloading does not work on the target device
The firewall is running, tested OK, but signing does not work on the target device
Not enough disk space or FAT32-formatted external drive
You need enough free disk space to fit the file system image. If using an external drive, make sure to format it in a file system other than FAT32, which limits file sizes to 4GB.
The extraction agent is not running or running in background
Ensure that the extraction agent runs as a foreground app during the entire extraction.
Wireless networks not fully disabled
First and foremost, the device must be placed into airplane mode during the extraction. However, depending on the last settings, the Wi-Fi and Bluetooth toggles may not be automatically disabled when the device enters airplane mode.
Solution: place the device into airplane mode first, then check and manually disable the Wi-Fi and Bluetooth toggles.
Error: “All exploits failed”
Cause: too long or too short a delay after booting or restarting the device.
Explanation: the exploits used by the extraction agent are time-sensitive. Some iOS versions require a delay of no more than 10 seconds after a reboot before launching the extraction agent, while iOS 16 requires a delay of approximately one minute to allow all kernel-level processes to stabilize. Providing an exact waiting time for each iOS version is challenging, so if you encounter issues with the exploit, try both shorter and longer delays, rebooting the device between attempts. In some cases, you may need to try up to five times.
Note: if the device has been running for a very long time (e.g. while sitting on a charger), the exploit will almost certainly fail. In this case, you will need to reboot the device.
Solution: reboot the device, wait 10 seconds to 1 minute.
If none of the above resolves the issue, try identifying the issue by following steps from the Troubleshooting Guide.
Important: for the troubleshooting guide, always use a designated test device! Do not perform troubleshooting steps using the target device unless specifically instructed.
Step 1: Ensure Internet Connectivity on the Test Device
Ensure that the Internet sharing is working properly by checking that the Internet is accessible on the test device while wireless network interfaces (such as WiFi and mobile data) are disabled, and the text device is connect to your Mac computer via a cable. If you encounter issues with Internet sharing, refer to the “Misconfigured Internet Sharing for USB devices” section for solutions.
Step 2: Try Sideloading and Signing the Extraction Agent Without a Firewall
Step 3: Try Sideloading and Signing the Extraction Agent With a Firewall
Step 4: Troubleshoot on the Target Device
If all previous steps were successful on the test device but signing the agent still fails on the target device, follow these steps:
By following these steps, you should be able to troubleshoot and resolve common sideloading and signing issues. If you encounter any persistent problems, do not hesitate to contact our support team for further assistance.
By Oleg Afonin at 2023-09-12 10:37:42 Source ElcomSoft blog:
مايو 31, 2024 by Wael Alnahari
مايو 15, 2024 by Wael Alnahari
WGN | وغن