ElcomSoft blog

Discover the benefits of agent-based data extraction from iOS devices. Learn about the purpose and development of the extraction agent, when it can be used, and best practices. Get a comprehensive understanding of the cutting-edge approach for iOS data extraction.

The Extraction Agent: An Overview

The extraction agent represents a cutting-edge approach of extracting data from iOS devices. Initially developed as a safer and more reliable alternative to jailbreaking, agent-based extraction provides risk-free low-level access to the device and enables full file system extraction and keychain decryption. This method offers improved speed and accuracy while making no changes to system partitions and leaving minimal traces on the data partition. After the extraction, the agent can be easily and completely removed with one command, the only traces left on the device being several entries in the system event log.

To better explain the benefits of the extraction agent, let us look back several years. Back in the days, file system extraction and keychain decryption were largely carried out through publicly available jailbreaks. However, this approach was not ideal as it was risky to the device, posed a threat to the data integrity and was far from being forensically sound.

To address these issues, in early 2020 we developed an alternative solution. Instead of a jailbreak, this new approach utilizes a small app, the “extraction agent”. The agent combines known exploits to escalate privileges, access the file system, and decrypt the keychain content. Compared to jailbreak-based acquisition, the extraction agent offers numerous benefits, including increased safety, speed, and robustness.

How It Works

iOS employs numerous protections to keep apps within sandboxed space. Third-party and system apps can only access data in their own sandboxed space, and gain access to limited information explicitly shared by other apps. This, for example, means that the Files app, which is a system app introduced in iOS 11, cannot and does not have access to the full file system of the user data; in this example, users of the Files app won’t have direct access to files produced by e.g. Signal or Telegram messengers (unless the user opens the messenger app and shares a chat comment or attachment from within the messenger itself).

Low-level access to the file system is strictly forbidden to apps running in the user space. However, apps with a higher privilege level can access the entire file system, including files stored in other apps’ sandboxes. Obtaining a higher privilege level requires privilege escalation, which is not permitted by the iOS security model. For this reason the extraction agent obtains privilege escalation by exploiting kernel-level vulnerabilities in parts of the operating system. To do that, the agent packs a large number of known exploits. When launched on an iOS device, it detects the OS version and attempts to apply a compatible exploit. If successful, the extraction agent gains access to the file system and establishes a communication channel between the device and the expert’s computer, which in turn allows the expert to image the file system with iOS Forensic Toolkit.

Although the concept may seem straightforward, it is significantly more complex than meets the eye. A kernel exploit alone is not enough to access the file system, while decrypting keychain records always requires additional work. We strive to keep iOS Forensic Toolkit updated to allow both file system extraction and keychain decryption for all supported iOS releases without gaps and exclusions.

Better than checkm8?

The extraction agent works in a different manner and is supported on a different range of devices. While checkm8 extraction is compatible with devices built with certain Apple chips, the extraction agent is hardware-agnostic, even supporting devices based on Apple Silicon (M1) chips. On the other hand, the extraction agent supports a limited range of iOS versions, while checkm8 is mostly (but not entirely) OS agnostic.

checkm8: devices based A5…A11 chips; most iOS versions; does not work on A11 iPhones with iOS 16. Requires a Mac.

agent: devices based on any hardware platform if running iOS 6 through iOS 15.5. Requires an Apple Developer account (or a Mac for a workaround).

The checkm8 extraction process is only available for older Apple devices that have a hardcoded vulnerability in their bootloaders. The newer chips starting with Apple A12 (the iPhone Xs/Xr generation) are not affected, which makes checkm8 extractions unavailable for those newer generations of devices.

For older devices that are compatible with checkm8, we recommend using the checkm8 extraction process. For newer devices, you won’t have such an option. Instead of targeting the hardcoded bootloader vulnerability that no longer exist in these newer devices, the extraction agent leverages kernel-level vulnerabilities in various parts of the operating system to escalate privileges, escape the sandbox, and access the device’s content at a low level.

The Current State of Agent-Based iOS Extraction

The extraction agent is currently compatible with all iOS releases up to iOS 15.5 on all iOS/iPadOS devices. Windows users require an Apple Developer account to use the agent, while macOS users are recommended to have one. To perform an extraction, the device’s screen lock password must be known or absent. If the device is running a compatible version of iOS and the screen lock password is known, it is highly recommended to use the iOS Forensic Toolkit extraction agent for all data extractions.

The Practical Guide

There are several steps to using the extraction agent. First, make sure you want to use the agent as opposed to (or in addition to) other extraction methods:

• Approaching iOS Extractions: Choosing the Right Acquisition Method

During the second step you’ll need to sideload (install) the extraction agent on the iOS device being extracted. This is a somewhat more complex process than it seems, and you may need to enroll your Apple account into Apple Developer Program. If you have a developer account with Apple, sideloading the extraction agent is easy. If you don’t, you’ll have to use a risky workaround.

• iOS Low-Level Acquisition: How to Sideload the Extraction Agent

If you managed to sideload the extraction agent, launch it on the device by tapping its icon, and keep the app running in the foreground until the extraction is finished. The extraction steps are described in the following short manual:

• iOS Forensic Toolkit 8 Extraction Agent Cheat Sheet

Finally, remove the extraction agent by either uninstalling it from the device in a regular way or by issuing a command (refer to the Cheat Sheet above).