Selective Extractions: Popular App Data Extraction on iOS

It’s without a doubt that digital forensic tools make investigations more effective and efficient, but if your search only requires you to extract data from a few specific applications, you are forced to wait for a full file system extraction before you can access the necessary data. This issue can multiply your working time and delay your investigation. 

Fortunately, we implemented a solution in Oxygen Forensic Detective 12.5! Our Selective Extraction feature is built into the Oxygen Forensic® iOS Extractor and allows investigators to conduct extractions from only the applications they select. Users can choose anywhere between 2 and 15 applications of interest from our list of 15 most popular apps. Investigators can now save time and promptly extract data from only the applications they choose. 

The list of the popular apps for Selective Extractions:

  1. WhatsApp Messenger
  2. Facebook Messenger
  3. Telegram
  4. Discord
  5. Facebook
  6. Twitter
  7. Instagram
  8. Gmail
  9. Skype
  10. WickrMe
  11. TikTok
  12. Signal
  13. Line
  14. WeChat
  15. Viber

These are apps that contain crucial data in most cases and are generally the first to be analyzed. If you think we’re missing an app that should be on this list, please contact us.

How-to

Open Oxygen Forensic® Extractor from the home screen. For iOS devices, the iOS Advanced Extraction window will open.

Please note, popular apps data can be extracted from already jailbroken iOS devices or from iOS devices on which checkm8 vulnerability could be exploited by iOS Extractor.

Figure 1: Selecting Extraction Method

Once the jailbroken device is read, investigators can choose whether to make a usual full file system extraction or extract data from a selected list of the popular apps.

Figure 2: Selecting Data to Extract

If the latter option is selected, the list of the popular apps stating amount of data in each one of them will be displayed on the screen. One, several, or all the applications in the list can be selected for extraction. Click on Start Extraction as soon as all apps of interest are chosen. 

Figure 3: Selecting Applications for Extraction

If the keychain is required to decrypt app data, it will be extracted as well. If the keychain is not required, its extraction will be skipped.

Figure 4: Keychain Extraction

Once the extraction is complete, all the extracted data will be shown within Oxygen Forensic® Detective.

We will continue to make improvements to this extraction method in the future. Stay tuned for any updates!

2 Replies to “Selective Extractions: Popular App Data Extraction on iOS”

Leave a Reply

Your email address will not be published. Required fields are marked *