Resource Center

Blogs

Understanding iOS Time Stamps

Thanks to the wide availability of full file system images for iOS, there have been some great artifact discoveries. But what about the file system itself?

While looking at the iOS file system this week with some of my colleagues at Magnet Forensics (Brad de Vlugt, Jamie McQuaid [@reccetech], and Mike Williamson [@forensicmike1]), we discovered some unique things.

Comparison of Time Stamps in iOS, Windows FS, and APFS

When you SSH into a jailbroken iOS device and use the stat command, you will see four time stamps; namely Access, Modify, Change, and Birth. APFS has five (Birth, Date Added, Modify, Access, and Created).  Many users are familiar with three time stamps from Windows FS (Modified, Accessed, and Created).  

We looked at a GrayKey image in the .zip format. When GrayKey creates an image from an iOS device, it uses extended attributes to retain the time stamps. 

So how do these compare?  We have observed that “Birth” is synonymous with created times. These are consistent with much of the research for HFS+ as researched by Lee Whitfield and presented at the 2017 SANS DFIR Summit and this blog post.   

Regarding Access time, we didn’t see it updated in our testing. However, we did note that there is a “noatime” setting in mount options that may account for us not seeing these updates. This is similar to the NTFSupdateaccesstime registry flag. It is possible that the access time stamp may be changed by an application, so results may vary.

Screenshot
Figure:  SSH showing that several partitions of an iOS device are mounted with “noatime”.

Here are some of observations regarding Modify and Change times for iOS. There are similar to the modification of an HFS+ file from Lee Whitfield’s research in this area.  For example, we have determined that altering a file, i.e. creating a note in Notes, will update both the “Change” time and the “Modify” time. 

Screenshot
Figure: SSH view of time stamps of the WAL file for Notes before adding a note.
Screenshot
Figure: SSH view of time stamps of WAL file for Notes after adding a note in Notes showing an update to the Modify and Change time stamps.

It is important to note that editing pictures will not always produce the same changes as iOS uses the Mutations folder for photos.

So, what are some other differences between Change and Modify times? Altering file permissions via SSH access updates only the Change time. Altering and accessing the file via SSH updated both the Modify and Change time.

Figure: SSH view of time stamps of WAL file for Notes after altering permissions via SSH showing an update to the Change time stamp only.

I wanted to share this with you all so that you would understand the potential time stamps you may see when looking at iOS file systems and the value in looking at these four time stamps. We will be adding support for these additional fields over the next releases.

Let me know if you have questions by reaching out to me via email jessica.hyde@magnetforensics.com

Related Resources

Blogs

Blogs

How Deduplication Can Help Your Forensic Analysis

Deduplication can be a helpful technique when doing forensic investigations. The wealth of data that can be found on a computer or phone can get overwhelming and we often need

January 22, 2020 • About a 7 minute view
Blogs

Blogs

Using Magnet AXIOM on Devices Running Up to iOS 13

iOS 13 was recently released, along with a new set of iOS devices to go along with it. There are several things to consider with iOS 13 and how to

October 7, 2019 • About a 7 minute view
Resource Center Home

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top