Bringing it Back With Biome Data
A key part of any mobile device examination is understanding the pattern of life activity of said device. Seeing what a user is doing at specific times of day and developing patterns of behavior becomes important in a number of different types of examinations.
We have come to rely on these artifacts from sources such as the KnowledgeC and PowerLog databases in iOS. While these databases still exist in iOS 16, Apple threw us a curveball by moving some of the key records to a new location and storage format completely.
The Biome subdirectory found within /private/var/mobile/Library (as well as one in /private/var/db/) has been around since before iOS 16. We have previously used this directory to try and recover things like user notifications and even additional copies of iMessages/SMS. With iOS 16, the biome subdirectories became much more populated with additional folders and the proprietary format often referred to as “SEGB” files.
The SEGB file is a binary file which stores multiple records relating to that specific function being recorded. The best way to think about the “biome” subdirectories files are that these are part of a user experience around suggestions that the operating system can make to the user. How does it make these suggestions? It monitors what the user is doing so that it can recommend actions to the user. That’s where these files seem to be generated from. More information on the format of the SEGB files and how some of these records get stored (and their nested records stored within) can be found on the blogs here.
Recovered Artifacts from iOS 16
With the release of AXIOM 6.11, we’re happy to say that we’ve restored many of the artifacts that seemly disappeared in iOS 16 by parsing through the biome subdirectory and its SEGB files. We’ve also noticed some additional artifacts and records to older artifacts that weren’t available before that we’ve also added in!
You’ll find these artifacts under the APPLICATION USAGE category of our Artifacts explorer. Each one will be identified by beginning with Biome to signify that’s the area of the operating system they came from. This allows examiners to keep each of these artifacts separate and better understand where they’re coming from.
A lot of these records will look familiar to their previous “KnowledgeC” counterpart such as Application Focus, Application Install States, Safari History, and Siri UI Execution. However, some of them actually added new artifact fragments during their migration. Let’s take a look at the Application Focus for example.
A new fragment now exists which we’re referring to as “Metadata.” This fragment allows us to see some additional information recorded by these embedded protobuf records which helps us to see that this particular application (Safari) was switched to from the “SpringBoard” homescreen (otherwise known as the device main UI).
New Artifacts From the Biome
In addition to restoring some of the previously missing artifacts, we’ve added new ones from the biome area too. One for example is the Biome User Activity artifact which can be seen below. This artifact records some of the user’s activity on the device and can show some of the activity they’re performing while applications are in focus. The downside is that the records only store a recorded time, meaning when they’re recorded to the SEGB file, so that’s not the exact timestamp of when the activity happened. In order to allow examiners to dive deeper into the activity, AXIOM includes a Metadata fragment which is storing a payload that can be examined. In the two examples below you can actually see a recorded Google search, including full URL as well as a message with the text content. These are a great source of investigation when the record inside the main database is deleted.
While a lot of the original activity-tracking artifacts were device specific, the biome subdirectory has a unique additional storage capability. Within the separate biome folders for each tracked function, there will be a “local” and a “remote” folder. The “local” folder stores the SEGB files from the local device while a “remote” folder will store SEGB files that have been synced from other iOS/macOS devices on the same AppleID.
Overall, the biomes have been a great addition to an already robust set of activity tracking artifacts within iOS and macOS. While the SEGB containers can be a pain to parse out, including their nested storage records found within, they are completely worth the effort with all of this information available to us. Our developers here at Magnet aren’t done yet though with the biome subdirectories. We have even MORE artifacts coming over the next few releases which will bring even more context to your investigations and even better sources to recover potentially deleted information.
If you want to learn more about the SEGB files and how these individual records are structured, check out the March episode of Mobile Unpacked entitled “Missing Data? Build Back Better with Biomes!” You can head over to the link here to register.