A look into iOS 18’s changes
It’s September! For me, that means the weather is starting to cool off, my favorite sports are in full swing, and Apple is releasing a new version of their iOS operating system. And with a new version of iOS, comes a new version of my yearly blog hopefully preparing examiners with what iOS 18 new features to be aware of and where to look for the new, shiny artifacts.
First, a quick piece of info. The examination and information contained below was done with an iOS 18 full file system extraction, not an iTunes-style backup image.
It’s also worth mentioning that a lot of Apple’s shiniest iOS 18 new features won’t be landing quite yet. Apple’s latest big-ticket item, the Apple Intelligence features, won’t land until iOS 18.1 which is projected for October. That just means we’ll have to take another look when the awesome new stuff lands!
So, what DID we get as part of iOS 18? This version marks one of the largest design changes Apple has seen since it went away from skeuomorphism design practices with our app icons. These new changes will allow users to use ‘dark mode’ style icons or even ‘tinted’ icons where icon is tinted a specific chosen color.
New app protections
Speaking of apps, we were given the ability to protect apps by using our lockscreen password to open them. This is more of a top-level UX based protection as it doesn’t seem to change the ability for our forensic tools to gain access to the data once a file system image has been acquired. Users have two options: the ability to hide the application from the home screen AND password protect it, or just password protect it.
In cases where the user decided to protect the application with a passcode, we can track which applications have been hidden by using the com.apple.appprotectiond.plist file found within /private/var/mobile/Library/Preferences/ directory.
The SBSearchDisabledAppsPriorValue shows us the three applications that were locked, while only two of them were actually removed from the homescreen which can be found under LockscreenSuggesionsDisabledBundlesPriorValue. What is also interesting about this file is that it shows us how many apps were hidden or locked within the last seven-day timeframe.
In cases where the user has just chosen to hide it AND protect it, the hiding of the application will be tracked back to the SpringBoard folder and the IconState.plist file we use to determine the application layout on the homescreen. The [ignored] key within this property list file will show you ALL applications that have been removed from the home screen including those that were done so as part of the password protection process.
These applications are still very much on the device, just not our home screen.
iOS 18 also allows us to lock icons into a specific place on the homescreen. This information can also be tracked from the same IconState.plist file as previously mentioned above. While these pieces of information may seem small, they can be valuable for better understanding the mentality of how important someone has deemed an application to them. The fixedLocations key will show what place (counting starting with 1 in the top left corner) the application has been fixed to so that it doesn’t get auto moved like previous versions of iOS.
Messaging madness!
In addition to giving us some design changes, Apple also gave us some changes to my personal favorite database, the Messages database! That’s right my Android fans, we flipped the switch and your Apple counterparts can join you in Rich Communication Services based conversations now. As per usual, RCS messages will fall back to SMS messages if need be and are enabled by default. Just like iMessages versus SMS, Apple will use the “service” column within the messages table of SMS.db to reflect if this was an RCS message.
RCS messages add the ability for us to see if messages were delivered and/or read depending on the receipts of the other party. These can be tracked just like we track iMessage read/delivered dates within the SQLite database. The timestamps are still using the “Apple Time” (Cocoa/Webkit, MAC Absolute, etc) but using nanosecond values.
Unfortunately for our RCS users, the number of features you got are minimal. I can still turn read receipts on/off, but the ability to edit, recall, or add fun new text enhancements are still restricted to iMessage. While we handle reactions much better now, you’re still green bubbles to us. 😉
Type now, send later
Apple gave us a long-requested feature in that I can now schedule iMessages as part of the “Send Later” functionality. This allows us to pick and date and time to send a message to another party. This could complicate some things for investigators, but we can track some good points within the database.
When messages are scheduled for later, they will immediately get written to the SMS.db file. The date column reflects the nanosecond Apple Time value for when it is scheduled. It obviously does not update the date_delivered or date_read columns. Scheduled messages also hold a “schedule_type and schedule_state” column to show that they’re scheduled messages. Close observers may also note that there is a column now for “is_pending_satellite_send” for the new sending of iMessages via satellite.
Lightning round!
Wait, should we change that to USB-C round now? Anyway, a new software update can break a lot of things, so let’s use the lightning round to discuss some top-of-mind things for examiners:
- MOST core artifacts are unchanged from a parsing perspective
- KnowledgeC.db is still in use and there are no major changes seen thus far from iOS 17
- SEGB v2 are still around and kicking (thankfully there have been no new SEGB formats discovered YET)
- The new “Passwords” app mostly seems to be a UI for the data already stored in the keychain
Apple is keeping some of the other big features back for the iOS 18.1 release that will bring Apple Intelligence to many phones. So that just means you’ll have to tune back in for another iOS 18 update then, or you can also join us to look at these features and more during October’s Mobile Unpacked Episode 22 where we’ll be taking a deeper look into all the new things iOS 18!