A Digital Forensic Analysis of the Impending iOS Update

For legal teams and organizations that are routinely monitoring and/or collecting from iOS devices for investigations and litigations, it’s critical to understand how the new messaging capabilities in this Beta version may impact the ability to preserve and recover evidence in the future.

Most notably, the Beta version of iOS 16 implements a “Recently Deleted” folder, which enables users to recover messages deleted within a 30-day period. This involves a “soft delete” function wherein deleted messages are moved to the Recently Deleted folder for 30 days before being permanently removed from the device. Essentially, messages are left behind on the device for a period of 30 days. Given the difficulties of recovering deleted messages in earlier iOS versions, which were set up to permanently remove nearly all traces of deleted content immediately, this new feature could be a boon for investigators who know where to look and how to uncover these artifacts.

In addition to examining the implications of this new "soft delete" function (i.e., when a user deletes a message but the message is automatically moved to the Recently Deleted folder rather than immediately removed from the device), our team conducted extensive testing on the changes to the messaging capabilities in iOS 16, using a suite of forensic tools. Our key findings include:

• Messaging capabilities now include message editing, which allows users to edit a recently sent message up to 15 minutes after sending it; message recall, which allows users to recall a recently sent message up to 15 minutes after sending it; recovery of deleted messages for up to 30 days; and marking of conversations as unread, through which a previously read conversation can be marked as unread by the user.
• The new editing, recall, recovery and “mark as unread” features are not compatible when messaging with Android devices.
• Edited messages and their original versions are tracked with one record. However, the content of the original message is not stored. Rather, the database indicates that it was edited and when.
• Recalled messages and their original version are also tracked with one record, which can indicate to investigators that a message was recalled and when, as well as when the original was sent and read. However, the content of recalled messages does not appear to be recoverable.
• In testing on the Beta release to date, messages that have been marked as unread do not appear to be flagged with any discernible changes within the device’s database.

An important consideration with these changes is that they are consistent with the increasing prevalence of modify, delete, mask and recover functions in messaging applications. The proliferation of ephemeral messaging tools have made it difficult for investigators to follow the trail of evidence in many matters. Some of these changes within iOS 16 (such as message editing and recall) will follow that trend. However, digital forensics experts who know where to look and what to look for will be able to leverage the soft delete feature and records of other message changes to uncover artifacts that will help paint a picture of what was happening on a device and when.

Our team will continue testing iOS 16 in Beta, as well as the features that are ultimately released when the full version launches.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.