Latest iOS Update Makes Evidence Deletion Easier

In May, Apple released iOS 11.4, and with it, new features for storage and synchronization of Messages to iCloud. Our team has written before about the e-discovery and digital forensic investigations challenges that can arise when Apple updates operating system functionalities. The changes in 11.4 yet are another example of how this continually moving target can impact organizations that are required to preserve, collect and review data from Apple devices for legal, regulatory and investigative matters.

This release provides iOS users a brand-new ability to sync Messages in iCloud and enable that synchronization across all their devices, making their Messaging interface function more like email. iOS version 11.4 and later versions of Apple’s High Sierra on Mac that have this feature enabled will seamlessly synchronize sent and received messages, as well as deletions that occur on one device connected to the same iCloud account. This brings a new level of efficiency and convenience for users, but also a simpler way for custodians under investigation to eliminate potential evidence across all of their devices.

Communications via chat applications, iMessage and SMS come into scope as important sources of information for many investigations today. We’ve seen countless cases where the evidence of wrongdoing exists or is corroborated by details in mobile device messages. Our team is constantly evaluating limitations and opportunities that emerge with new software updates to ensure we understand how they impact our ability to collect critical data. To better understand 11.4, we conducted a series of tests on various iPhones and an Apple Mac computer, all with the iCloud Messages sync feature enabled. The tests were run on multiple devices connected to the same iCloud account, and we imaged the devices at varying stages of activity.

Our testing revealed that once synced, the Messages feature in 11.4 worked exactly as it was designed. Messages appeared/disappeared almost instantaneously across synced devices, with only minor delays when the devices were not on the same network. From an investigations standpoint, this means that organizations and their forensics teams need to respond much more quickly in obtaining custodians’ devices, and minimizing the window of time a custodian has to delete important information via iCloud. Recovering messages will still require a similar time investment, but now investigators should take additional steps to increase the chance of recovering deleted messages. These include:

• Put it in Airplane Mode: Devices should be appropriated as quickly as possible at the onset of an investigation. Once they have devices in their possession, investigators should immediately turn on Airplane Mode or place them in Faraday Bags (which shields signals) so they can no longer sync. This will help preserve the loss of information that may occur from changes made in iCloud.
• Mobile Device Settings: Analyzing the settings of each device prior to forensic imaging is now more important than ever before and will tell investigators which operating system is being used (and therefore if Messages are stored in iCloud, as well as how much storage space is taken up by Messages). Understanding where the data lives, how much is stored in iCloud, and what/how much data is synced with other devices will help inform further steps in the investigation.
• Leverage Every Angle: With information from the device settings, investigators will know which other devices may need to be collected. It is critical to think about all of the devices that have been synced and try to access them all as quickly as possible to make multiple forensic images. With numerous copies from numerous sources, investigators will have a better chance of finding deleted content that could be pertinent to the matter.

It will only be a short time before the next version of iOS is released, and the format for how mobile device data is synced and stored will likely change again. What won’t change is the importance of this information to guiding and proving investigations. Investigators must stay on top of this constant evolution of technology and continue to research new approaches for finding key data and recovering data that has been deleted.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.