Apple iOS 16 – New Features and Their Impact on Cell Phone Investigations

Apple’s annual update to their cell phone operating system has brought some changes and long-awaited new features. The new iOS has more personalization, including being able to edit a sent message. We have highlighted some aspects that involve data and settings that could be crucial to a digital forensic investigation. These include a “Send Later” feature within Mail, editing and un-sending messages, and recovering recently deleted messages. Additionally, an iCloud shared photo library, Safety Check, and Lockdown mode. Lastly, 16.2 provides for advanced data protection for iCloud. 

While it may already be a feature with other mail providers, Apple’s Mail now allows a user to schedule an email to be sent in the future. This is a convenient and long overdue function; however it is important to keep in mind the impact delivery time of key information might have on your case. Apple says future releases will allow a user to easily unsend an email message that’s been sent. To us this sounds like a spoliation claim waiting to happen if the metadata trail is not updated correctly. There is also a new Mail setting that will delay the message being sent for up to 30 seconds, allowing the end user to recall the email. This setting should be considered when analyzing a mailbox. 

Changes were also made to the messaging capabilities with Apple’s latest update. Three main changes are the ability to edit an iMessage, to unsend an iMessage, and recovering recently deleted messages. The new iOS allows users to edit a message up to five times, within the first 15 minutes after sending it. The recipients will be able to see the edits made within the message and a record indicating that it was edited. In addition to editing messages, an iMessage can be unsent for up to two minutes after sending it. Both participants will see a notification showing that a previous message was deleted. Most intriguingly, Apple states that a user can now recover their recently deleted messages for up to 30 days after deleting them. These features bring new light to the importance of preserving data as soon as possible after an incident. 

As data sharing becomes commonplace, the iCloud shared photo library is an interesting addition. The photo library allows the user to share a separate iCloud photo library with up to five other people. This differs from the original sharing option of only a single album. The new features allow everyone who has access to the shared library to add, edit, favorite, caption, and delete items within the library. This feature should be considered when remediating data as items in a shared library could be deleted in several places. 

Two more features that may be critical in future cases are Safety Check and Lockdown mode. Apple has continually taken the users side on issues involving privacy and security. The Security Check allows people to quickly reset the access they’ve granted to others. This includes applications that have asked for permission for your location, camera, microphone, photos, etc. It simplifies management and access of applications to features such as location sharing and what devices are signed in with your Apple ID. 

Lockdown mode is a new security feature providing protection to those facing targeted threats to their digital security. Apple states this mode hardens your device’s defenses and limits certain functions, reducing the attack surface that could be potentially exploited. This mode is an optional protection to those who feel they’re being targeted. Many sharing features will be disabled, especially when receiving content or notifications from people not in their contact list.  

In 16.2, Apple has extended the total number of iCloud data categories using end-to-end encryption so that it can only be decrypted on the users’ trusted devices. By default, iCloud already protects 14 sensitive data categories using end-to-end encryption, including Health data and passwords in iCloud Keychain. This advancement brings the total categories protected using end-to-end encryption to 23, including Notes, Photos, and iCloud backup. 

These features are just a few of the new capabilities that comes with iOS 16 and further challenge us in protecting, collecting, and confirming the integrity of secure information. Capsicum Group can help with your forensics collections, cybersecurity, and eDiscovery needs. We pride ourselves in getting our clients as much data as available during collections, decryption, and forensic analysis. As the technology continues to evolve, Capsicum continues to evolve with it.