Kevin Leung, Matt Witchey and Brian McMahon
Computer Forensic Consultants, Computer Forensic Consultants
In May, Apple released iOS 11.4, and with it, new features for storage and synchronization of Messages to iCloud. Our team has written before about the e-discovery and digital forensic investigations challenges that can arise when Apple updates operating system functionalities. The changes in 11.4 yet are another example of how this continually moving target can impact organizations that are required to preserve, collect and review data from Apple devices for legal, regulatory and investigative matters.
This release provides iOS users a brand-new ability to sync Messages in iCloud and enable that synchronization across all their devices, making their Messaging interface function more like email. iOS version 11.4 and later versions of Apple’s High Sierra on Mac that have this feature enabled will seamlessly synchronize sent and received messages, as well as deletions that occur on one device connected to the same iCloud account. This brings a new level of efficiency and convenience for users, but also a simpler way for custodians under investigation to eliminate potential evidence across all of their devices.
Communications via chat applications, iMessage and SMS come into scope as important sources of information for many investigations today. We’ve seen countless cases where the evidence of wrongdoing exists or is corroborated by details in mobile device messages. Our team is constantly evaluating limitations and opportunities that emerge with new software updates to ensure we understand how they impact our ability to collect critical data. To better understand 11.4, we conducted a series of tests on various iPhones and an Apple Mac computer, all with the iCloud Messages sync feature enabled. The tests were run on multiple devices connected to the same iCloud account, and we imaged the devices at varying stages of activity.
Our testing revealed that once synced, the Messages feature in 11.4 worked exactly as it was designed. Messages appeared/disappeared almost instantaneously across synced devices, with only minor delays when the devices were not on the same network. From an investigations standpoint, this means that organizations and their forensics teams need to respond much more quickly in obtaining custodians’ devices, and minimizing the window of time a custodian has to delete important information via iCloud. Recovering messages will still require a similar time investment, but now investigators should take additional steps to increase the chance of recovering deleted messages. These include:
It will only be a short time before the next version of iOS is released, and the format for how mobile device data is synced and stored will likely change again. What won’t change is the importance of this information to guiding and proving investigations. Investigators must stay on top of this constant evolution of technology and continue to research new approaches for finding key data and recovering data that has been deleted.