In April 2015 Apple released iOS 8.3, and this version of iOS brought a few noteworthy changes for forensic examiners.
App Data Containers
The most important iOS 8.3 change in terms of potential impact on investigations is the discontinuation of access to app data containers. This change, which Apple presumably made to increase security, means that the user’s app data cannot be directly accessed or acquired by forensics tools. User preferences, documents, and other primary data will still be acquired by an iTunes backup, but certain transitory data and caches, including web content and media, is not included in backups and thus is no longer available for examination.
Examiners copying an iOS 8.2 or earlier pairing certificate over to an analysis workstation will be unable to use that pairing certificate for accessing the device if it has since been updated to iOS 8.3. After a device is updated to iOS 8.3, the next time it is connected to a computer with iTunes the user is prompted to trust the machine, even if the system already contains a pairing certificate for that device that was created when it was running iOS 8.2 or earlier.
iOS 8.3 also includes updates to syncing of the iCloud Photo Library to improve compatibility with the Photos app for OS X. The Photos app was released as part of OS X Yosemite 10.10.3, where it replaced the older iPhoto and Aperture apps.
For examiners, the main point to remember is that Photos uses iCloud to push pictures between devices and machines, and a copy of the original picture is kept in the cloud. Each device and machine has a user-selectable option to either keep the originals on the device or to optimize the local library. If set to Download and Keep Originals, a full-size copy of all images is stored locally. If set to Optimize, the local library retains full-size copies of recently taken and recently accessed images, and stores reduced-sized copies of the remaining images. The algorithm used to determine which photos should be optimized is not readily apparent, and it will likely change over time as Apple fine-tunes this feature. Currently, the full-size pictures and videos are found in the /mobile/Media/PhotoData/CPLAssets folder. Optimized versions are stored in /mobile/Media/PhotoData/Metadata/PhotoData/CPLAssets. Pictures, videos and screenshots taken by the device (i.e., Camera Roll) are still stored in /mobile/Media/DCIM/ and this folder may contain unique media files that are not in the CPLAssets folders.
With the new iCloud Photo Library, users can create albums and invite other users to view photos and videos contained in their albums via sharing. Shared albums are stored in /mobile/Media/PhotoData/MetaData/PhotoCloudSharingData. Shared albums that have been accepted by a recipient are logged in the /mobile/Media/PhotoData/PhotoBulletins.plist file. This .plist file contains the date and time that the invitation to share the album was accepted, the name of the album, and the name of the recipient who accepted the invitation.
Whether or not the above iOS changes have a meaningful effect on the outcome of an investigation will vary from case to case, but it is important that examiners be made aware of such developments. Of course, this brief synopsis of iOS 8.3 changes is not meant to be an exhaustive survey of the subject. There is always much, much more to learn and stay abreast of in the world of digital forensics, and BlackBag's experienced, top-notch instructors are here to help. If you're interested in learning more, check out BlackBag's training page here to see our upcoming classes, or contact our training team for more information.