Articles
iOS 16 for iPhone and what it means for eDiscovery
A new year, a new operating system update for your iPhone. Apple recently released iOS 16 for iPhones. Many iOS releases provide new features, fix some issues and improve the user experience. iOS 16, however, brings two new features that have a direct effect on iMessages: the ability to delete messages and the ability to edit messages.
Deletion of Messages
Deleting of text messages, be they SMS, MMS or iMessages is nothing new whether you are talking about iPhones, Androids or otherwise. What iOS 16 brings is the ability to not only delete the message from your iPhone but also from the recipient’s iPhone. Only the sender of a message can delete messages from the recipient’s phones. This action cannot be initiated by a recipient.
For the deletion to succeed, three conditions need to be met. The first condition is that the message is an iMessage. For a message to be an iMessage, the sender and all recipients must be iPhones. The second condition is that the sender and all recipients must be on iOS 16. Anyone not on iOS 16 will not have the message deleted. The third condition is that you have to delete the message within 2 minutes of sending the original message. If these conditions are met, the message is deleted not from the sender but also to all of the recipients.
Editing of Messages
iOS 16 also brings the ability to edit text messages. As with deleted messages, three conditions must be met. The first two are identical to the deleted message process: iMessage and everyone on iOS 16. The third condition, however, is a bit more lenient, you have 15 minutes from the time you send a message to edit it. To be clear, you can only edit messages you send, you can’t edit messages others send.
Forensic Evidence
Editing of messages does not occur without leaving behind a trace. A forensic analysis of the recipient or sender iPhone does reveal the previous edits. However, to expose this information with eDiscovery, you need to make sure that the tools you are using are capable of finding this data. Once a message is edited, the locations in the database as to where the body of the message changes as well as evidence of the edits.
When a message is deleted, the content of the deleted message does go away from both the sender and recipient. What remains is a record that indicates a message was sent by a specific individual to other individuals at a specific date and time.
What also is evidentiary in this process is when the edit or deletion occurred. There is a field in the sms.db (the file the contains text messages on an iPhone) that represents when a message is edited or deleted. To be fair, the time constraints discussed previously provide one with a window of when an edit or deletion occurred. But in the event of a deletion, information in this field will point to evidence of a message being deleted through this process versus something else occurring.
Conclusion
From a discovery perspective the edit or deletion of messages, while adding a new wrinkle, don’t appear to have much of an effect beyond the normal issues posed by deleting messages. The time constraint really prevents much damage unless action is taken by the sender within minutes of sending a message. Arguments can be made as to the significance of these features when it comes to domestic violence and similar issues but that discussion is beyond the scope of this article. But what is significant is the following: First, does your expert understand the details of this process including when it works, how it works, and how to find the evidence of the edit or deletion? Second, what this author has seen too often, is someone non-technical making claims about how this process is perceived to have worked actually does work.
The most important take away for you, the reader, is to be aware of the situation and to hire the right digital forensics expert, like Vestige, to guide you through the specifics via expertise, knowledge and testing.
by Greg Kelley, BS, EnCE, DFCP,
Chief Technology Officer at Vestige Digital Investigations
For more information CONTACT US.
