Join Us!

Download exactly 60...
 
Notifications
Clear all

Download exactly 60 minutes on iPhone?  

  RSS
mbousquet
(@mbousquet)
New Member

I'm working on a case where carrier records show a user's iPhone had activity at a particular date/time for exactly 60 minutes. The user claims he was not using the phone at that time, which is crucial to the case. While there could be many reasons why the phone was doing things without the user actually holding the phone in his hand (automatic app updates, downloading Season 4 of House of Cards, whatever), the "exactly 60 minutes" aspect has us wondering, what would take exactly 60 minutes? It seems like such an unlikely time increment.

I've Googled this to death, searched the Apple forums, and can't find anything definitive. There was no iOS update on the date in question. Any musings or info welcome.

Quote
Posted : 02/03/2020 4:43 am
athulin
(@athulin)
Community Legend

… the "exactly 60 minutes" aspect has us wondering, what would take exactly 60 minutes? It seems like such an unlikely time increment.

Is it exactly 60 minutes? I mean, really? 60 minutes, 0 seconds, 0 milliseconds, … ? Or is it just 60 minutes +- 5 minutes, because that's how often we sample activity and log? 'Exactly' must mean something – and just how exact it is may be a factor here. I'm assuming 'exact' is a correct term.

One possibility that comes to mind is some kind of time out. In that kind of setting, one hour would be a possible period of time, though on a mobile phone it seems to be far too long for any well-made software. However, such a timeout can happen at multiple levels with the phone provider (assuming IP-over-phone), with a WiFi service or software provider (assuming WiFi connection), Bluetooth or other forms of connections, as well as with iOS and any software that runs on that platform, particularly software made by people whose mistakes don't lead to serious consequences for them or their companies (i.e. amateur programmers). But it could just as be something unrelated, such as manual interference, deliberate or not, or bug behaviour, such as, say, a timer that that after one hour overflowed, and caused an exception or triggered some kind of process shutdown. An iOS software person would probably be needed to say if iOS software timers have or had buggy behaviour around one hour of activity.

(Added and timeouts can happen even at the remote end – I've seen FTP as well as HTTP download servers terminate downloads that went on for too long. Not timeouts in those cases, instead it was explicit 'max allowed time for connections')

In any case, a probability argument ('seems unlikely') needs to be backed up by statistics to be of any serious value. Anything can happen once. If you had logs that the same phone exhibited similar behaviour on … say, more than three occasions, you would be on somewhat better ground. As it is, speculation seems to be all that is possible.

ReplyQuote
Posted : 02/03/2020 6:58 am
badgerau
(@badgerau)
Member

Scenario The phone was tethered and the device that was connecting through the phone had a time out set. e.g VPN set to disconnect after 60 minutes. If this devices was a Windows 10 computer and it was downloading one of the latest updates this could explain the amount of data.

Timeline analysis may show changes/updates to data on the phone. If none of the data on the phone has been changed during the specified time period, this may confirm that all the data was indeed tethered to another device.

Scenario 2 confirm if the phone was in WIFI mode at the time and if the phone downloaded the latest IOS update.

ReplyQuote
Posted : 02/03/2020 9:46 pm
mcman
(@mcman)
Active Member

A lot of the iOS native logs only store data by the hour (see many of the knowledgeC, powerlog, etc..) or certain activity within that hour timeframe so I would take a real close look at the specific timestamp that you're analyzing and see if that's the case. Sarah Edwards did a great presentation detailing the difference in granularity and accuracy of many of these timestamps. I would take a look at that as well. A good indicator is if all the logs are on the hour every hour or something like that as well.

Hope that helps.

Jamie

ReplyQuote
Posted : 02/03/2020 10:00 pm
badgerau
(@badgerau)
Member

Scenario The phone was tethered and the device that was connecting through the phone had a time out set. e.g VPN set to disconnect after 60 minutes. If this devices was a Windows 10 computer and it was downloading one of the latest updates this could explain the amount of data.

Timeline analysis may show changes/updates to data on the phone. If none of the data on the phone has been changed during the specified time period, this may confirm that all the data was indeed tethered to another device.

Scenario 2 confirm if the phone was in WIFI mode at the time and if the phone downloaded the latest IOS update.

To further clarify my comments regarding the IOS updates. Depending on the users settings, the phone could download the latest updates but not install them.

ReplyQuote
Posted : 02/03/2020 10:22 pm
mbousquet
(@mbousquet)
New Member

Thanks for all the info. I was surprised I got so much info! Thanks for taking the time to give some insights.

Unfortunately, the phone itself is not available for analysis. Something I should have mentioned at the start is that the amount of data transferred during the 60 minutes was less than 10KB uploaded and downloaded during that time. Yep, KB, not MB or GB. This leads me to look at things like push notifications or some kind of auto update. The timeout theory also holds in this case.

Based on your answers, I am doing some tests on a similar phone to see what goes on with data usage when no one is using the phone and there's no WiFi (in the situation in question, there wouldn't have been WiFi access). I've downloaded a couple of apps that track usage by day or hour, so I should be able to see if I can get some comparable results in my sleep, so to speak.

I will check out Sarah Edwards' work, too. She always has some good insights.

In this case we don't need to prove anything, just need to offer a reasonable explanation for why the phone was busy when the user wasn't using it. In this regard, the tiny amounts of data transfer might be more key than the unlikely time increment.

ReplyQuote
Posted : 03/03/2020 7:05 am
Rich2005
(@rich2005)
Active Member

Bearing in mind that's such a tiny amount of data it makes me question what you mean by
"carrier records show a user's iPhone had activity at a particular date/time for exactly 60 minutes"

What exactly are these records of, what exactly are they indicating/stating, what's their resolution?

Is it simply the case that it's an indication of a window of 1 hour where 10kb of data was transferred at some point, or points, during that entire window, rather than for 60 minutes? (as I think Jamie was suggesting)

Or is it a lot more granular?

ReplyQuote
Posted : 03/03/2020 4:03 pm
mbousquet
(@mbousquet)
New Member

The report gives a date/time stamp down to the second, "elapsed time" in minutesseconds, amount of data uploaded/downloaded, and whether there was a "recipient" number (as with text messages). In the line item in question, it was 6000, under 10 KB uploaded and downloaded, no recipient. Some of the timestamps do follow an hourly pattern, so thanks for making me look!

There are also entries that show 000 time and a small amount of data transferred, and others that show several minutes with 0 KB transferred, all with no recipient.

Unfortunately, it's not so easy to ask "What does this mean?" All the carrier knows is what their database recorded. I believe the developers of the apps would have more information than the carrier regarding what's really going on, but trying to get that information from a developer… don't get me started!

But based on this report, it looks to me like there is sometimes an open connection for several minutes at a time, during which data is transferred part of the time. Kind of like calling someone and neither of you speak for several minutes, but you stay on the line, and once in a while one of you blurts out a word or sentence.

Perhaps some kind of polling activity is going on, or auto updates, or checking whether there need to be updates, or keeping the line open while the update does some things on the phone itself.

I did some tests last night and there was similar activity around 3am, 4am, and 5am, a few KB back and forth while I was sleeping. Calendar, email, and a few other services. The app tells me the time window down to the hour range, and the amount of KB transferred, but not the exact start/end time for the transfer, but I'm going to keep looking for an app that will. And even if I do find out the transfer start/end times, it's possible that while the carrier records an "open line", the phone only records actual data transfer times.

In any case, I'm having a good time pecking away at this conundrum. And I have enough comparative evidence from my own phone to satisfy my client that "data transfer activity in the middle of the night does not necessarily indicate that the phone was being manually used."

ReplyQuote
Posted : 03/03/2020 6:34 pm
Share: