Julia O’Shea: Good morning, good afternoon, good evening, everyone. Thanks for joining our webinar today: What You Need To Know Now About macOS 13 and iOS 16. I’m Julie O’Shea, and I’m the Product Marketing Manager here at Cellebrite Enterprise Solutions.
Before we get started, there are a few notes that I’d like to review. We are going to record this webinar today and we’ll share an on-demand version after the webinar is complete.
If you have any questions, please submit them in the questions window and we will answer them in our Q&A throughout the webinar. And at the end of the webinar, if we don’t get to your question, we will be following up with you after.
Now, I’d like to introduce our speaker today, Dr. Joe Sylve. Joe is the Head of Computer Forensic Research at Cellebrite and an Adjunct Professor of Computer Science at both the University of New Orleans and Louisiana State University.
His interests are in memory analysis, reverse engineering, digital forensics, computer security, incident response, and operating system internals. He is the author of several open source digital forensic tools, such as Line Forensics, which was the first tool that allows full physical memory acquisition from Android devices.
He is also a GIAC-certified forensic analyst and received his Ph.D in 2017 from the University of New Orleans. He has published several peer-reviewed publications on digital forensics. Thanks for joining us today, Joe. If you are ready, I’ll hand it over to you now so you can take it away.
Joe: Thanks, Julie. Another year, another set of operating system releases from Apple. iOS 16 released last month in September, which supports all devices starting with the A11 Bionic or newer, which is the iPhone 8 and the iPhone 8 Plus and of course all of Apple’s hardware that has come out since then.
There are multiple variants of iOS operating system. There’s the tvOS and the watchOS, which were released in September. And earlier this week, Apple released the iPadOS.
There are several new forensic relevant artifacts that we’re going to talk about. Earlier this week, Apple also released macOS 13 Ventura on October 24th. This supports all of Apple’s Silicon devices as well as its Intel line of Macs that have Kaby Lake processors or later. So basically most Macs released in 2017 or later will support updating to Ventura.
Apple seems to be unifying its operating systems. It’s got different variants for different platforms with different UIs. However the Kernel seems to be coming more and more unified, as well as the first-party applications.
So, macOS Ventura actually shares many of the new artifacts on iOS 16. However, when we’re talking today, please keep in mind that both of these operating systems, especially macOS, are brand new, so we’re only just scratching the surface on what there is to find.
First section, we’re going to talk about acquisition. Many of you may be asking, once we start seeing these devices, obviously they don’t happen overnight, will trickle in over time and you’re going to see more and more over time. Will these new OS updates affect my current processes, especially when it comes to what data that I can have access to on the system?
iOS acquisition has always been a tricky subject. There’s no one answer to what you can get and how much you can get. It really depends on the combination of the hardware, how old the device is, and which version of iOS is running on them.
Early indications for iOS 16 states that your backup-based acquisition, so this is any tool that uses Apple’s built-in backup functionality, or if you were just to trigger an iTunes backup through a normal backup mode and then ingest that in your tools, our early indications mean that that seems to work just fine. You get all the same data that you would normally get.
Of course, Apple is syncing more and more to the Cloud. So all of your tools that can do iCloud-based acquisitions where you’re pulling users backups from the cloud itself without even necessarily needing the device, that also seems to work.
Historically, Apple search warrant returns have given a bit more information than are even available via the iCloud-based backups. We suspect that this process is still going to work fine on iOS 16. However, since it’s only been out so long, we haven’t actually seen any of these returns recently. We do not envision that there are going to be any issues.
Where we do run into problems are the advanced kind of acquisition modes that give you full file system access on some devices like CheckM8. If your device currently supports CheckM8 on iOS 15, or if that device is updated to iOS 16, for now, it does not work.
However, our research seems to indicate that it should be able to work in the future; we’re just going to have to wait for some updates to the tools.
Key takeaways: Your current tools and processes should mostly still suffice for your iOS devices, especially for just the basic, logical backup-based and iCloud acquisitions. However, the more advanced techniques such as CheckM8, you’re going to need to wait a little bit for updates.
Hopefully those updates come out before you start seeing these on a regular basis. The effectiveness of advanced techniques as always, is going to vary depending on specific hardware and software combinations.
If you ever have a question about what options are available to you for a specific device that you have in question, always feel free to reach out To Cellebrite.
On the macOS side, we always have two different options for acquisition. Cellebrite’s tool, Digital Collector, has two modes of operation. We have what we call the ‘live’ mode, in which you haven’t already booted system, and you plug in a dongle and you run the application normally.
We also have a boot environment in which you plug in the dongle, you reboot the system, and you boot into a more controlled environment. With macOS 13, not all of these options are going to be available to you immediately without updates to Digital Collector.
Digital Collector Live seems to work fine. Both Intel Macs as well as Apple Silicon Macs promote logical acquisition, which just means a file-based acquisition, as well as decrypted physical acquisition.
With one caveat: In order to get a full decrypted physical acquisition from a live-booted system, you first actually need to reboot that system, log into the recovery console and disable system integrity protection. And this has been true from macOS 12 and remains true from macOS 13. Prior to macOS 12, you did not have to do this with the latest versions of Digital Collector.
This works both on Intel Macs and all M1, M2 Macs. However, the boot environment, we have a difference between the Intel Macs and the Apple Silicon Macs.
Currently, it appears that booting into Digital Collector boot environment on Intel Macs works completely fine. You can do all those same functionality that you could do on macOS 12 and below, but changes in the operating system have currently broken Digital Collector’s boot environment when Apple Silicon devices are updated to macOS 13.
So in general, if you only need logical acquisition, you can do this live, or on Intel Macs you can do it in the boot environment. If you’re going to need physical acquisition, on Intel, we recommend booting into the boot environment because that still works.
However, on M1 Macs, your options are going to be limited to disabling system integrity protection and doing a decrypted physical application in the regular live operating system. We do not envision that there will be any problems getting M1s back up to date for the boot environment, however, it is going to take a little bit of time and an update to Digital Collector.
So key takeaways: Live logical acquisitions work on all of your systems regardless of the operating system version, regardless of whether it’s an Intel Mac or an M1 Apple Silicon Mac. Live decrypted physical acquisitions always require disabling system integrity protection.
And you should expect, because what we do when we’re decrypting the drive when the system is actually running, is we actually have to freeze rights to that drive. Freezing rights to that drive will cause the operating system to lock up while acquisition is happening.
So the system is going to appear to freeze. It may appear to freeze for quite some time. Once acquisition is finished, the system should come back to life. So if you see this sort of behavior and you’re not used to doing live physical decrypting applications, just know that that is expected behavior.
You should also look forward to future Digital Collector updates to bring back the dongle booting support on all systems.
Security is always a balance between how secure your data is and how usable your device is. Of course, the most secure device is the device that is powered off and buried in a vault somewhere where it has no access, but it’s not a very usable device.
With macOS 13 and iOS 16, Apple has really given you the option to tune those dials. You can opt for a very high-security environment with very low usability by enabling a new mode that they call ‘lockdown mode’.
Apple itself defines this as an extreme measure that is only useful for a very small subset of people. With this lockdown mode, it goes as far as disabling USB deports on iOS devices. Disabling USB deports really does limit your options for acquisition.
However, we suspect because this mode is so restrictive that there will be fewer users enabling this mode. It doesn’t really make a lot of sense to have a very expensive device that you’re essentially turning into a feature phone because you’re disabling a lot of the bells and whistles.
Lockdown mode is also available on macOS 13, however, early indications seem to suggest that even with lockdown mode enabled, it really does not affect our acquisition.
So key takeaways here: If you do come across a device with lockdown mode enabled, you’re going to have to try to find some way to disable it, usually using the user’s credentials. This may prevent acquisitions on iOS 16, but it’s going to be at the expense of usability.
It’s possible that there may be methods in the future that can be developed to do acquisitions even with this lockdown mode enabled, but currently research on that is still ongoing.
On the macOS 13 side of the house, acquisitions do not seem to be affected at all if lockdown mode is enabled. Before we go on, are there any questions about acquisition?
Julie: No questions on acquisitions yet. You must just be very clear and explaining everything really well. So let’s keep going.
Joe: Of course, both macOS and iOS have a bunch of new features and with new features comes new artifacts. So we’re going to talk a little bit about how will these new operating system and application features affect your impact, your investigation, what’s available to you now, and what may become available to you in the future with updates to your tools.
The first feature we’re going to discuss is photos. Apple and both the photos application in iOS and Mac OS has always allowed a user to hide some of their pictures into a hidden album. This also applies for photos that they have just recently deleted.
Initially, when you delete a photo on these applications, they just essentially move to another hidden album for recently deleted photos and they stick around on a device for approximately 30 days or until the user goes into that album and explicitly deletes it a second time. This is the same on iOS and macOS 13.
However, Apple has added the ability to “lock” these albums, the hidden and recently deleted albums with the user’s credentials. So, while previously all a user needed to do was click on a certain thing in the UI to reveal these photos.
Now to reveal them, they need to have their credentials. Fortunately, from our perspective, nothing really changes. There’s no extra layer of encryption on these photos. It’s just simply a flag and the database that says whether the album is deleted or the album is hidden.
You will not need any extra credentials to access these things. They still decrypt it on disc and it essentially works as it normally does.
So key takeaways: While we hear anything being locked sounds a little bit scary from a forensics perspective, this is really just a UI-only privacy feature.
It affects users more than it affects us as investigators. You’re still going to be able to recover these images as normal and the photos are going to remain unencrypted and accessible on the device, you’re going to have the same level of access as an iOS 15 or a macOS 12 device. They’re simply just marked as hidden or deleted in the database.
The next feature that we have here that seems a little bit scary is, Apple has added the ability to edit or unsend messages on their iMessage application on both macOS and iOS 16.
Apple does say that you can edit your messages and unsend recent messages altogether, however, it does give you a few caveats. Users are able to edit a message five times within 15 minutes, and then they’re unable to edit messages anymore.
These edits are not secret. Both the user has a full history of all of their edits; by just clicking on the message itself, you can see all of the variants of that message, and the recipients themselves can also see these records.
If the recipient has not updated their iMessage to the latest version, they will actually get separate messages that basically say “Joe edited this message to X”. If they do update it, everything will be in line. However, they can click on the message and see the full history.
From our perspective, we have a full record of the edits as well in the database. Obviously to facilitate that functionality that the users can see the history of the edits, we still also have that access to those messages for the entirety of their lifetime.
The unsend functionality is a little bit more complicated. Apple allows you to unsend messages for up to two minutes after you send them. It attempts to recall those messages from the receivers.
If the receiver on the other end has updated to the latest version of iMessage, then those messages actually will be wiped from the database on the receiving device. They’re also wiped from the database on the sending device.
And when I say wiped, I don’t mean that they’re gone entirely. We still have the metadata information about who the message was sent from and what it was sent to, but the contents of that message are erased from the database.
Now, if the user has not updated to a later version of iOS or macOS, these messages cannot be recalled and the user doesn’t even get an indication that these messages were attempted to be recovered.
In addition, while they are wiped from the SMS database on the end of the receiver’s system, there may still be evidence of these messages in other databases such as the notifications database. When you receive a message, that often pops up in the notifications view, and you get all or some of the message in that notifications database.
These types of artifacts that are just sort of side effects of messages being sent do not get overwritten when a user recalls a message.
So, key takeaways here: A complete history of edits is going to be available on both the sender’s and the receiver’s devices. However, you’re probably going to need to wait for your current tools to be updated to support this functionality to give you easy access to that information, you can certainly just look into the SQLite database and see them manually in the meantime.
Unsent messages aren’t going to be directly recoverable from this database from the sender’s perspective, but may be found elsewhere on the receiver’s devices.
Especially if the receiver has not updated to the latest version of iMessage or the latest version of the operating systems, the unsent messages are certainly going to still be there. Messages cannot be recalled from users who haven’t updated to the latest versions.
For encryption. Historically, Apple has supported locking notes in previous versions of both iOS 16 and macOS, and each of these notes needed to be provided by the user, a specific password to lock a specific note.
The encryption keys from those notes are based off of that note-specific password. For usability reasons, starting with iOS and macOS13, Apple is encouraging users to lock their notes using the credentials on their device themselves. And these credentials are synced on their iCloud keychain.
So while these notes will still be encrypted, they’ll be encrypted with credentials that you are more likely to have access to, right? Every specific note still has the option of being encrypted with its own password, but we think that most users are going to start using this functionality that allows them to more easily remember their password because it’s the same password as they have on their device.
In addition to this, because the passwords are synced and the keys are stored in their iCloud keychain, we believe that if you have access to one of the user’s devices and one of their credentials, you should be able to recover all of the notes that are encrypted with this method from any of their devices using the credentials from that one specific device.
Now, your tools, of course, are going to need to be updated to support this functionality. Immediately, you’re not going to be able to have access to this new form of encrypted notes, but with updates, we do not envision any problems to being able to recover in this notes.
And we are hopeful that we’re going to actually be able to recover even more data just because we’re not going to have to need to have knowledge of multiple different passwords for all of the individual notes that are locked on the devices.
So, key takeaways: Your current tools will definitely need to be updated to support recovering this new wave of encrypted notes. But since these notes aren’t encrypted with individual passwords any longer, we will likely be able to decrypt more of them with only the user’s credentials.
These notes are synced across devices, and it may be possible to decrypt all of them with a single device’s credentials, but of course, research is still ongoing in these efforts.
Apple has also added some additional functionality to its Mail application. They quote that they’re easily able to unsend an email that you just sent in a very short window of time, you’re able to schedule messages to be sent whenever you like, and you can also get reminders to follow up or come back to a message later.
They’ve built all of this functionality basically into the Mail application itself. So it’s not really changing anything server-side. Your ability to recall or unsend an email isn’t actually unsending an email. Once an email goes out, there’s no recalling that email, for the most part. It just delays sending that email. It’ll sit around in your outbox for a short period of time and a user has the option of undoing the send.
Now this seems to be a very short period of time; 30 seconds or so. So they’re not going to actually stick around for that long before the user unsends them.
As far as the scheduled messages go, these messages are just basically put into a different mailbox folder. There’s a ‘sent later’ mailbox folder.
So when you send those messages, they’ll go from the drafts mailbox when the user is actively typing in the message, to the sent later mailbox up until a point where you reach the scheduled time. And at that scheduled time, the mail will be sent and that mail will be of course moved to the sent messages mailbox.
All of this new information about when messages are scheduled to be sent is available in the database. Your tools will need to be updated for you to easily grasp that information.
However, due to this feature where essentially the mails are just moving around from one mailbox to another, they’ll be moving around on their device from one mailbox folder to another. So you’ll still be able to take advantage today in your tools of that information using a little bit of intuition with artifacts that track files that are moving on the file system.
Their key aspect to this might be the FS events folder. If the FS events artifacts, if you look at these, you should be able to see a given mail. If a user has unsent it, you should see it going from the drafts mailbox folder to the outbox mail folder.
And then if they unsend it, that mail will not have moved, it will simply be deleted from the outbox mail folder. Now, if they schedule a mail, you’ll see it go from the drafts folder to the sent messages folder, and then at some point it’ll go from the sent later folder to the sent messages folder.
So while we will be able to take advantage of these new features, they’re just actually a little bit of extra metadata in the database that you can look at yourself. Your tools will need to be updated to be able to see this in the UI, but you can still use some other artifacts to figure out what’s going on in the interim.
This information may be relevant to you for some of your cases. For example, if a user is trying to establish an alibi based off of, “Oh, I was absolutely here at work because I was sending messages.” Well, now you have a little bit more information saying, “Hey, actually that message was scheduled to be sent and you and you drafted it much earlier.”
Your tools are going to need to be updated to support parsing this new extra information, but you’re likely still able today to get actionable information by analyzing the FS events.
Now for a bit of unfortunate news. Apple is phasing out some of your favorite artifacts. The KnowledgeC database has historically been a wealth of information about what has been coined ‘pattern of life’ artifacts.
If you’re familiar with some of the research that was put out by Sarah Edwards and others in the recent years, as well as tools like APOLLO, that give you a lot of information about what a user was doing and when they were doing it, device was turned on, device was turned off, microphone turned on, microphone turned off, et cetera.
These sorts of pattern of life artifacts that give you information about what a specific user was doing at a specific time, most of those artifacts came out of a SQLite database called KnowledgeC.
While this information is still being tracked, Apple is actively moving this stuff out of the KnowledgeC artifact into a new set of artifacts called Biome. Biome seems to be their new proprietary database format where they’re using to track this sort of information about telemetry, about what a user is doing.
Early indications indicate that all of the same sort of information that was stored in a KnowledgeC database is now being stored in this Biome database. and there is even additional information being stored at a higher granularity.
However, Biome is a new artifact that is still under active research. It’s not a simple SQLite database, it’s not a matter of just adjusting some queries. We’re actually going to have to reverse-engineer this proprietary format and be able to present you with the information that’s stored in it.
So, of course, to be able to take advantage of the sort of pattern of life artifacts on iOS 16 and macOS13 devices, your tools are going to need to be updated to support bio.
We could do an entire webinar on Biome, and a lot of this information is still very early. If you’re interested at all, you should really look at a series of blog posts by Chris Vance on his blog at d204n6.com. Chris has put together a five-part series so far about Biome, what’s in it, information about the structure, and it’s well worth a read.
Key takeaways: Your tools are going to need to be updated to take advantage of new ways of storing these pattern of life artifacts. Tools like APOLLO and that integration and Inspector and your other tools, they’re not going to be able to report new information.
Information on the device, if the device has been updated, the old information may still be there, but new behavior is going to be stored in this new Biome artifact that your tools are going to need to be updated to support. This artifact is likely in the future going to be a very key component to your future investigations in the same way as the KnowledgeC database has been today.
So, what are our conclusions overall? As iOS 16 and macOS 13 roll out, most of your existing tools and processes are going to work as expected today with the tools that you have today, with a few notable exceptions, especially the KnowledgeC database.
Cellebrite as always, is continuing to work diligently to provide updates across all of our offerings to support these new iOS and macOS features. And each update you see is going to support more and more over time. We’ve only just scratched the surface, we’re in the early days.
Stay tuned for exciting new research and capabilities that will help advance all of our shared missions. Now, I see that there have been some questions coming in, some about acquisitions, some about analysis. I’m happy to take them now.
Julie: Great. Thanks, Joe. Okay, we have had some questions, so let’s get started on those. How about, are there any issues with the USB ports on macOS in lockdown mode?
Joe: No. Our early research seemed to say that lockdown mode on macOS is far less restrictive than it is on iOS. Primarily, the major security feature of lockdown mode on macOS seems to be browser-based. The idea is they want to try to limit the attack surface that malware has to take advantage of bugs in your programs.
So the user, while they have a less of an attack surface, their experience with the web applications will be much much more limited, may have limited functionality and they’re certainly going to have performance issues, but it does not disable the USB ports.
I assume Apple figures a lot of people use USB-based peripherals still, and disabling that, especially on a computer which has many ports that are often more used than the one port on your phone, would be too restrictive.
So just these ports are not disabled even when lockdown mode is enabled on the Mac. Currently, we do not see any differences with doing acquisition on a Mac in any of the methods that we have, even when lockdown mode is enabled.
Julie: And does disabling of lockdown mode on iOS erase any data acquired on the device while lockdown mode was enabled?
Joe: That is a good question. I do not know the answer to this question off the top of my head, but we will absolutely reach back with you for answers.
Julie: Perfect, okay. And another question here, just to confirm, the live collector physical acquisition includes Silicon 2, correct?
Joe: Yes. Our live capabilities as of the last version or maybe the last two versions of Digital Collector works the same way on Apple Silicon devices as it does on Intel devices with the same restrictions, right?
So with macOS 11 and prior, you’re able to do that live physical acquisition without having to disable system integrity protection. With macOS 12 and later you need to disable sip for physical acquisition. In all cases, you don’t need to disable any of the security features for logical acquisition.
Julie: Thank you for that. How about this question: Is there any change to recovery or retention of deleted SMS, MMS, or iMessages?
Joe: We mentioned a few changes. Deleted messages themselves are actually not deleted. There are no changes in that aspect. Apple just marks a flag in the database basically saying, “Hide this.” So you should still be able to recover all these deleted messages. They’re not being wiped.
What is being wiped is the unsent messages. So when there’s that small window of time for a user to unsend their iMessages, then they will be wiped from the sender database. At least the content will be wiped. The metadata still exists in there.
Now, if the user is using SMS and not iMessage because they’re talking to someone on a, you know, an Android device or whatever, this functionality of recalling messages doesn’t exist in those capabilities and the SMS seems to work the same as it does today.
Julie: Thanks for clarifying that. And let’s move on to this question: For the edit and unsend messages, is the metadata going to show that the message was edited multiple times or just once? Is that a thing?
Joe: Yes, the metadata actually gives a full history of edit. So you’ll see that if it was edited more than one time, and I think you get up the five edits, you will see that it was edited and what the contents were edited and when it was edited.
Of course, right now you have to dig manually into the database and wait for updates for your tools to kind of display that information to you in a more usable way, but that information is available to us and is available both on the sender’s devices and the receiver’s devices.
Julie: And where is the notification database located? Is this the ‘recents’ library?
Joe: The notifications database is unfortunately now in some of this Biome information, so we’re going to have to wait until we update our artifacts to be able to take advantage of them.
Julie: Got it, okay. And let’s see here, how about this question? Can we still perform advanced Logical using UFED Touch for iPhones running iOS 16?
Joe: That is a good question and I do not have the answer to that off-hand. We’ll have to get back to you. And again, I think it’s going to really depend on that combination between what physical devices you’re using and what version of it is.
If the advanced logical technique for that specific device was using CheckM8, I do know that that currently does not work on devices that have been updated for iOS 16. However, our researchers have told me that they don’t envision it being a problem. It’s just a matter of updating the tools and getting everything working with that new exploit.
Julie: Great, thanks Joe. And how about, is there anything that’s going to affect target disc mode collections?
Joe: Target disc mode only exists on Intel Macs and it seems to work exactly the same way on macOS 16 as it has previously. However, remember, target disc mode has gone away for Apple Silicon devices.
Julie: Got it. Thanks for clarifying that. Well, we’ve had a few more questions come in that we are not going to get to throughout the presentation today, but we will reach out to you individually after the webinar to answer those.
And thank you, Joe. That was a great presentation going over what we know so far about Apple’s latest releases. Hopefully I can convince you to do a follow up webinar for everyone once we know a little bit more.
And as a reminder, this will be sent to you on demand after the webinar to view, as well. If you have any other questions or you would like to learn a little bit more how you can get started with any of our solutions, please reach out to us via the ‘contact us’ button on your console, or feel free to email us at email@example.com.
You’ll see a prompt soon asking for some feedback on what topics you’d like to see going forward. If you have a minute, please fill out what you’d like to see to help us decide a future webinar. Thanks for a great conversation today, Joe, and thanks everyone for joining us. I hope everyone has a great rest of your day.