Apple has released the Beta version of iOS 16, which is expected to be fully released in September. This release will include new messaging features, including editing, recall and recovery capabilities for messages sent between Apple devices. Our Digital Forensics & Investigations practice has been closely following and regularly testing iOS releases so as to explore potential investigations issues, challenges and opportunities. The new messaging capabilities are particularly interesting in the current Beta release because they carry a number of implications from a digital forensics perspective.
For legal teams and organizations that are routinely monitoring and/or collecting from iOS devices for investigations and litigations, it’s critical to understand how the new messaging capabilities in this Beta version may impact the ability to preserve and recover evidence in the future.
Most notably, the Beta version of iOS 16 implements a “Recently Deleted” folder, which enables users to recover messages deleted within a 30-day period. This involves a “soft delete” function wherein deleted messages are moved to the Recently Deleted folder for 30 days before being permanently removed from the device. Essentially, messages are left behind on the device for a period of 30 days. Given the difficulties of recovering deleted messages in earlier iOS versions, which were set up to permanently remove nearly all traces of deleted content immediately, this new feature could be a boon for investigators who know where to look and how to uncover these artifacts.
In addition to examining the implications of this new "soft delete" function (i.e., when a user deletes a message but the message is automatically moved to the Recently Deleted folder rather than immediately removed from the device), our team conducted extensive testing on the changes to the messaging capabilities in iOS 16, using a suite of forensic tools. Our key findings include:
An important consideration with these changes is that they are consistent with the increasing prevalence of modify, delete, mask and recover functions in messaging applications. The proliferation of ephemeral messaging tools have made it difficult for investigators to follow the trail of evidence in many matters. Some of these changes within iOS 16 (such as message editing and recall) will follow that trend. However, digital forensics experts who know where to look and what to look for will be able to leverage the soft delete feature and records of other message changes to uncover artifacts that will help paint a picture of what was happening on a device and when.
Our team will continue testing iOS 16 in Beta, as well as the features that are ultimately released when the full version launches.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
Senior Director, FTI Consulting
Director, FTI Consulting
Senior Consultant, FTI Consulting