Page 94 - Cyber Defense eMagazine for July 2020
P. 94
2. Clean and forensically sound. The agent does not write any unnecessary stuff onto the data
partition, and does not leave any traces behind sans a few records in the system log.
3. Much easier to handle. Most jailbreaks (except checkra1n, which uses a hardware exploit) are
limited to a narrow range of iOS versions. The agent has all the exploits required to gain access
to the data, and automatically applies the right exploit for a given version of iOS.
4. Robust operation. Jailbreaks are wonky to install, (very) frequently failing without an obvious
reason and no path forward. We are yet to see a single case where the agent would fail on a
supported platform.
5. Offline operation. The agent can and should be installed with the device being in Airplane mode.
An Internet connection on the iPhone is never required, making it a safe, risk-free extraction.
Agent-based extraction also has two major drawbacks.
1. You will absolutely need a Developer account with Apple to sign and install the agent. A Developer
account with Apple costs money (around $100/year if you use a personal one).
2. The agent is available for a wide but still limited range of iOS versions, currently supporting iOS
10.0 through iOS 13.4.1 inclusive. Extracting an iPhone running a newer iOS build would be only
possible if we discover the corresponding exploit. Alternatively, the checkra1n jailbreak may be
available if the device is an iPhone 8, 8 Plus or iPhone X or older.
How to use jailbreak-free extraction
Jailbreak-free extraction is available through Elcomsoft iOS Forensic Toolkit. You will also need an Apple
ID enrolled in Apple’s Developer Program, and have an app-specific password created in your profile.
Write down that password, you’ll need it to sign the extraction agent. The acquisition steps are:
1. Connect the iPhone to your computer. Approve pairing request (you may have to enter the
passcode on the device to do that).
2. Launch Elcomsoft iOS Forensic Toolkit. The main menu will appear.
3. We strongly recommend performing logical acquisition first (by creating the backup, extracting
media files etc.)
4. For agent-based extraction, you’ll be using numeric commands.
5. Press 1 to install the agent onto the iPhone. Enter the Apple ID and the app-specific password
you’ve created in the developer profile, then type the ‘Team ID’ related to your developer account.
6. The agent is installed on the device. Tap on the Agent icon on the iPhone to launch it, and keep
it in the foreground during the extraction.
7. Press 2 to extract and decrypt the keychain (you can view it in Elcomsoft Phone Viewer).
8. Press 3 to capture the file system image. The tool uses the TAR format to save the file system
image. You can view it with Elcomsoft Phone Viewer or third-party forensic tools.
9. Press 4 to clean-up and uninstall the agent from the iPhone.
Cyber Defense eMagazine –July 2020 Edition 94
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.