New Feature: Data Extraction via iOS Agent

In the new version of Oxygen Forensic® Detective, we are proud to introduce to you our latest development in mobile data extraction – iOS Agent.

Many of our users are already familiar with OxyAgent, which allows data extraction from Android devices and is used in situations when the device itself cannot be connected via ordinary methods.

OxyAgent was made for Android devices so we developed another for iOS devices.

 

iOS Agent

iOS Agent is an app that was created for iOS devices that is installed directly to the device as a regular unprivileged user app.

 

iOS Extraction Methods

This is the 4th extraction method for iOS devices that is available in our software:

      1. iTunes Procedure
      2. Checkm8
      3. Jailbreak
      4. iOS Agent

 

iTunes Procedure

Unlike the iTunes procedure, iOS method will extract more evidence, including keychain, system data, and apps.

 

Checkm8

The checkm8 method is limited to the device models. The iOS Agent approach, on the contrary, covers more device models but is currently limited to the iOS version.

 

Jailbreak

Unlike the jailbreak methods, the iOS Agent method does not significantly modify the file system.

 

iOS Agent

Supported devices and iOS versions  running iOS 14.0 – 14.3 are currently supported:

      • iPhone 12 Pro Max, iPhone 12 Pro, iPhone 12, iPhone 12 mini
      • iPhone 11 Pro Max Dual SIM, iPhone11 Pro, iPhone 11
      • iPhone SE (2020)
      • iPhone XR Dual SIM, iPhone XS Max, iPhone XS
      • iPhone X, iPhone 8, iPhone 8 Plus
      • iPhone 7, iPhone 7 Plus
      • iPhone 6s, iPhone 6s Plus
      • iPhone SE
      • iPad Pro (12.9-inch) (4th gen), iPad Pro (11-inch) (3rd gen), iPad Pro (11-inch) (2nd gen)
      • iPad Pro 12.9 (2018), iPad Pro12.9 (2017), iPad Pro 12.9 (2015)
      • iPad Pro 11, iPad Pro 10.5 (2017), iPad Pro 9.7 (2016)
      • iPad Air (2019), iPad Air (4th gen), iPad Air (4th gen)
      • iPad 10.2 (2019), iPad 9.7 (2018), iPad 9.7 (2017), iPad (8th gen)
      • iPad mini (5th gen), iPad mini 4 (2015)
      • iPod touch (7th gen)

 

Data extraction with iOS Agent

Before initiating the data extraction process, please note that an Apple account is required for signing into the installed application.

To install the agent app, investigators need to authenticate an Apple ID account and obtain a certificate for signing the app in Oxygen Forensic® Device Extractor.

 

The following steps are required to authenticate the account:

      1. Authenticate the Apple ID account using Apple account credentials.
      2. Enter the two-factor code that was sent to a trusted device.

 

To get started, connect the device via USB cable and select “iOS Agent” in Oxygen Forensic® Device Extractor.

 iOS extraction methods that users can choose in Oxygen Forensic® Device Extractor

When the device is connected via USB and iOS Agent is chosen as the extraction method, users may sign in with a valid prearranged Apple account.

After choosing the extraction method, users must sign in to their Apple account to use iOS Agent.

The iOS Agent application may be signed via:

      • Free signature
      • Developer signature

 

If the first way is used, the device should be connected to the internet. After the application signed with free signature is installed, the user has to go to Settings → General → Device Management and set the developer as trusted.

If the application is signed with a developer signature, it may stay offline and additional settings are not required.

 

Please note the following difference:

      • Free certificates are valid for 7 days, and there may be a maximum of 2 certificates on a free account.
      • A certificate from a paid developer account is valid for 1 year. There may be up to 10 certificates on such accounts.

Preparing the iOS device for extraction with iOS Agent

As soon as the app is signed, the data extraction may begin. Once launched, iOS Agent executes the exploit code applicable to the iOS version installed on the device.

User choosing the type of extraction in Oxygen Forensic® Device Extractor

As soon as the extraction process is over, the user can open the extracted data in Oxygen Forensic® Detective for further analysis.

After iOS device extraction with iOS Agent, users can view the analysis in Oxygen Forensic® Detective

Conclusion

This new feature allows investigators to extract data from more iOS devices. At Oxygen Forensics we continue to innovate and expand our software to make sure investigators have all the tools they need to piece together the evidence.

Want to try this feature? Update your Oxygen Forensic® Detective to version 14.5 or contact us for a trial license!

Leave a Reply

Your email address will not be published.