The importance of preservation for iOS devices
To say the mobile landscape evolves quickly is an understatement. With frequently updated operating systems and new security features to contend with, the window of opportunity for digital examiners to collect mobile data is constantly shrinking.
Longstanding device seizure processes and best practices simply aren’t enough to protect mobile extractions anymore. With the need to follow due process and tight time-constraints on the availability of mobile data, forensics examiners need to leverage data preservation solutions to protect their ability to extract the critical mobile insights needed to close cases.
Changing iOS device states
The need for data preservation in mobile forensics first started gaining momentum at the end of last year when news broke about strange activity on iOS devices in police custody awaiting processing. This turned out to be a quietly introduced security feature that changed the device state—and available data—drastically.
Our own Chris Vance provided a comprehensive overview of the new challenge facing law enforcement with iOS devices in his article, Understanding the security impacts of iOS 18’s inactivity reboot. Chris’s blog outlined how Apple had added an inactivity reboot timer into their mobile operating system tied to the device’s lock state. This new feature caused the device to reboot when it has been locked for a period of three days (72 hours), changing the available extraction.
iOS evidence that expires
While automatic reboots greatly accelerated the urgency for preservation, the benefit of preservation also extends to mobile evidence that naturally expires over time. There is a wealth of critical data on iOS devices that is lost entirely if it isn’t preserved, or extracted, within a certain window of opportunity.
Apple’s iOS has built-in timelines to purge data that is no longer in use. While this is handy for the average iPhone user, it can have a considerable impact on forensics investigations. Without the preservation of mobile forensic data, key evidence like the categories below is lost:
Data Source | Expiration timeline |
|---|---|
| Cached locations | 7 days |
| KnowledgeC | ~28 days |
| SEGB | BIOME | 30 days |
| Recently deleted photos | 30 days |
| Recently deleted iMessages | 30 days |
| Safari history | 30 days |
For more information on the importance of these data sources, check out our blog 5 iOS forensics evidence sources to capture before they expire.
Or, to take an even deeper dive into how and when data can expire and explore how to maximize the amount of data retained and extracted, tune in to Chris Vance’s upcoming Mobile Unpacked // Discussing the Data Drop-Off.
A community consensus on preservation
The importance of mobile preservation is being recognized across the digital forensics community. Earlier this year, members of the Magnet Forensics team joined the group contributing to the Position on Timely Preservation via Digital Acquisition (25-F-001-1.0), published by the Scientific Working Group on Digital Evidence.
This position paper outlines the evolving challenges of capturing data from mobile devices, providing examples of evidence preservation from past legal proceedings, and closes on the necessity of preservation to ensure important evidence is not lost:
“Timely preservation of data on a digital device is crucial for forensic investigations because it ensures the integrity and completeness of the evidence. By safeguarding data, investigators maintain the reliability, admissibility, and evidentiary value of the information, ensuring a thorough and just investigative process.” Position on Timely Preservation via Digital Acquisition (25-F-001-1.0)
Preserving data with Magnet Graykey
With challenges continually mounting for collecting mobile data, our team works tirelessly to rapidly respond to mobile developments and help you get the most data possible. To address the challenges presented by the iOS reboot timer—as well as data that naturally expires over time—we were able to quickly launch new capabilities for preserving devices in the lab using Magnet Graykey, and even before devices reach the lab with a new solution called Graykey Preserve.
These new preservation capabilities give you the tools you need to preserve the data on iOS devices indefinitely in just minutes, while also maintaining the privacy of the data.
To learn more check out our webinar Preserving your iOS extractions with Magnet Graykey and Graykey Preserve (Investigators corner credentials required), or get in touch with us.