Uncategorized

Checking in on iOS 16 in Magnet AXIOM 6.8

A few months back, I covered some changes that were discovered in iOS 16 and how you could manually parse and recover certain records. Since then, Magnet Forensics has been adding them to our own to-do lists to make that less of a manual chore for examiners. This post will cover how some of our existing artifacts have been upgraded to handle the new information added in iOS 16 as well as some new artifacts that we added based on other changes in the operating system.

However, before we jump into the artifact changes, I want to talk about an incredibly awesome feature that just landed in AXIOM 6.8 that we’ve been working on a while. This is our evidence source details area of our Case Dashboard. This feature allows you to take a high-level view of a device’s identifying information as well as the recovered artifacts relating to only that device in a simplified single pane.

This information can be found on the Case Dashboard in the navigation pane on the left, under CASE OVERVIEW and over the INSIGHTS area. Each device will appear here which examiners can click on to be taken to its own page.

Case Overview

The key part of this area for now is the evidence source details pane. This will grab device identifiers and high-level information for the examiner to have right at their fingertips as soon as they open their case. This case involves an iPhone, but this will also feature information for other devices such as Androids, Windows PCs, and macOS devices.

Evidence Source Details

This information may come from a pool of multiple artifacts so we wanted to make sure examiners could get back to those artifacts and see where the data was sourced. At the bottom of the pane, the blue hyperlinks will tie back to each artifact the information was pulled from. As long as the artifacts that generated that pane are included, the data will be included in a Portable Case so that other investigators can get that same quick look at the information.

Diving back into our artifacts, we’ll start by exploring the changes to the iOS iMessage/SMS/MMS artifacts. First up let’s look at those pesky “unsent” messages. The body of the message is still blank since the content does not seem to be fully recoverable from this database. However, we still wanted to call out when a message was “unsent” since we do have a value saved in the database for when this was triggered.

Unsent messages

When a message has been edited, you’ll find the original message and all of the subsequent edits will share the same Message GUID value. The original message will still have all of the same attributes as you would expect, but the edits will add some additional values.

Original message
After the message is edited
The edited messages will still have their sent date and time as reflected by the original message, but will also feature when that edit took place. Examiners can quickly sort by and find messages that were edits by filtering or sorting on the Status fragment within AXIOM.
 
Within the chat threading preview, these messages will be grouped together with their original counterpart. A value within the generated message bubble will also inform the reviewer that this is an edited message.
Chat threading preview

Finally, since iOS 16 changed deleting messages a little, AXIOM has that covered too. As a reminder, when a message is deleted now as of iOS 16 or higher, the message really isn’t deleted. Similar to Photos, it just gets tagged as “Recently Deleted” and stays available within the database for 30 days. AXIOM now pulls out this information and displays it with an additional fragment called “Recently Deleted Date/Time.”

Recently deleted date/time

Moving on from messages, let’s talk about Safari. Safari had a fairly significant change to how it stores tab data. We’ll have two separate databases to parse through between SafariTabs.db and BrowserState.db. While a tab is open, it seems to keep its data within the older BrowserState.db and when it’s closed, it migrates to the SafariTabs.db from our research. Since the data stored within SafariTabs.db was structured so similarly to BrowserState.db, both databases records live together within the Safari Suspended State Tabs artifact. Our developers have also extended carving support to both databases to try and recover as much web information as possible for examiners to review.

To close out, while doing some digging into iOS Reminders, it seems that Apple changed the databases used with iOS 16. For once, this change actually made it easier to recover the artifacts. The reminders also do not actually delete themselves when you check them off as complete, just disappear from the user’s view. This artifact grabs both the completed and non completed items from each list as well as the created, modified, and completion time stamps.

Artifact grabs

These are just some of the new features in AXIOM 6.8. There are several new artifact updates as well as features out there to see with this version with even more on the way!

Holo, transparent letter M

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top