Many of our users are already familiar with OxyAgent, which allows data extraction from Android devices and is used in situations when the device itself cannot be connected via typical methods.
OxyAgent was made for Android devices so we developed another for iOS devices – iOS Agent.
iOS Agent is an app that was created for iOS devices that is installed directly to the device as a regular unprivileged user app. iOS agent can be found in Oxygen Forensic® Detective’s included Device Extractor tool with iOS Agent being one of the methods of extraction.
Table of Contents
- iOS Extraction Methods
- Data Extraction with iOS Agent
- iOS Agent Updates
iOS Extraction Methods
This is the 4th extraction method for iOS devices that is available in our software:
- iTunes Procedure
- iOS Agent
Unlike the iTunes procedure, the iOS method will extract more evidence, including keychain, system data, and apps.
The checkm8 method is limited to the device models. The iOS Agent approach, on the contrary, covers more device models but is currently limited to the iOS version.
Unlike the jailbreak methods, the iOS Agent method does not significantly modify the file system.
The following devices running iOS 14.0 – 14.3 are supported in Oxygen Forensic ® Detective v.14.5:
- iPhone 12 Pro Max, iPhone 12 Pro, iPhone 12, iPhone 12 mini
- iPhone 11 Pro Max Dual SIM, iPhone11 Pro, iPhone 11
- iPhone SE (2020)
- iPhone XR Dual SIM, iPhone XS Max, iPhone XS
- iPhone X, iPhone 8, iPhone 8 Plus
- iPhone 7, iPhone 7 Plus
- iPhone 6s, iPhone 6s Plus
- iPhone SE
- iPad Pro (12.9-inch) (4th gen), iPad Pro (11-inch) (3rd gen), iPad Pro (11-inch) (2nd gen)
- iPad Pro 12.9 (2018), iPad Pro12.9 (2017), iPad Pro 12.9 (2015)
- iPad Pro 11, iPad Pro 10.5 (2017), iPad Pro 9.7 (2016)
- iPad Air (2019), iPad Air (4th gen), iPad Air (4th gen)
- iPad 10.2 (2019), iPad 9.7 (2018), iPad 9.7 (2017), iPad (8th gen)
- iPad mini (5th gen), iPad mini 4 (2015)
- iPod touch (7th gen)
Data Extraction with iOS Agent
Before initiating the data extraction process, please note that an Apple account is required for signing into the installed application.
To install the agent app, investigators need to authenticate an Apple ID account and obtain a certificate for signing the app in Oxygen Forensic® Device Extractor.
The following steps are required to authenticate the account:
- Authenticate the Apple ID account using Apple account credentials.
- Enter the two-factor code that was sent to a trusted device.
To get started, connect the device via USB cable and select “iOS Agent” in Oxygen Forensic® Device Extractor – available with an Oxygen Forensic® Detective license.
When the device is connected via USB and iOS Agent is chosen as the extraction method, users may sign in with a valid prearranged Apple account.
The iOS Agent application may be signed via:
- Free signature
- Developer signature
If the first way is used, the device should be connected to the internet. After the application signed with free signature is installed, the user has to go to Settings → General → Device Management and set the developer as trusted.
If the application is signed with a developer signature, it may stay offline and additional settings are not required.
Please note the following difference:
- Free certificates are valid for 7 days, and there may be a maximum of 2 certificates on a free account.
- A certificate from a paid developer account is valid for 1 year. There may be up to 10 certificates on such accounts.
As soon as the app is signed, the data extraction may begin. Once launched, iOS Agent executes the exploit code applicable to the iOS version installed on the device.
As soon as the extraction process is over, the user can open the extracted data in Oxygen Forensic® Detective for further analysis.
iOS Agent Updates
Oxygen Forensic® Detective v.15.4
- We added two enhancements for iOS Agent method:
- In the minor update of Oxygen Forensic® Detective v.15.3.1 we’ve added the ability to extract the full file system via iOS Agent from iOS devices running versions 15.0 – 15.7.1 and 16.0 – 16.1.2.
- Oxygen Forensic® Detective v.15.4 now allows selecting an exploit if several are available for the particular iOS device model.
Oxygen Forensic® Detective v.15.3
- We added two enhancements for iOS device support:
- We’ve added the ability to extract the full file system and keychain via iOS Agent from iOS devices running iOS versions 15.0 – 15.4.1. For these supported iOS versions, there is no need to authenticate an Apple ID account and obtain a certificate for signing iOS Agent.
- Users can now extract the full file system and keychain via checkm8 from Apple iOS devices based on the A10 chipset and running iOS 14 and 15 without disabling the screen lock.
Oxygen Forensic® Detective v.15.2
Users are able to extract full file system and keychain from iOS devices with versions 14.4-14.5.1 via iOS Agent.
Oxygen Forensic® Detective v.15.1
The interface was updated for selective iOS data extraction via checkm8, SSH, and iOS Agent.
Oxygen Forensic® Detective v.15.0
We enhanced the ability to selectively extract evidence from Apple iOS devices. Previously, only selective extraction was available for TOP 30 apps. Now you can choose any installed app for extraction. This feature is available for the checkm8, SSH, and iOS Agent extraction methods.
Get more from Oxygen Forensic® Detective
At Oxygen Forensics, we continuously update our software to ensure we stay at the forefront of digital forensic technology. We offer training courses and webinars that can help you learn the ins and outs of Oxygen Forensic® Detective and stay up to date on the latest features and tools needed for your investigation. Returning customer? Sign up for our newsletter to stay in the loop.