As digital forensics experts, we constantly find ourselves in a technological arms race. On one side, we have device manufacturers and software developers continuously enhancing privacy and security features. On the other, we have the need to access and analyze digital evidence for legitimate investigative purposes. The upcoming release of iOS 18 marks another significant milestone in this ongoing battle, introducing a suite of privacy features that will undoubtedly reshape the landscape of digital forensics and incident response (DFIR).

image

In this article, we’ll dive deep into the new features of iOS 18, explore their implications for DFIR professionals, and discuss potential strategies and tools to navigate these challenges. It’s important to note that as of the time of writing, iOS 18 is still in beta, and some features may change before the final release. However, the trends we’re seeing give us a clear indication of the direction Apple is taking with user privacy.

Locked and Hidden apps: a new digital vault

One of the most significant changes in iOS 18 is the introduction of locked and hidden apps. This feature allows users to secure any app on their device behind Face ID, Touch ID, or a passcode, even when the iPhone itself is unlocked. Additionally, users can now hide apps from the home screen, placing them in a hidden folder that also requires authentication to access.

DFIR Implications

This new feature presents a considerable challenge for digital forensics experts. Previously, once a device was unlocked, investigators had relatively unrestricted access to all installed apps and their data. With iOS 18, we’re facing a scenario where critical evidence could be locked away behind additional authentication barriers.

Challenges:

  • Difficulty in identifying hidden apps
  • Additional authentication requirements for accessing locked apps
  • Potential for users to claim plausible deniability about the existence of certain apps

Potential Solutions:

  1. Advanced extraction techniques: Tools like Cellebrite UFED or Magnet AXIOM may need to be updated to bypass or crack these additional security layers.

  2. Legal avenues: In some cases, investigators may need to obtain additional warrants or court orders specifically for accessing locked or hidden apps.

  3. Behavioral analysis: Focus on analyzing device logs, network traffic, and other metadata that might indicate the presence and usage of hidden apps.

  4. Social engineering: In cases where it’s legally permissible, interviewing techniques might be employed to obtain authentication information from the device owner.

Improved contacts permission

iOS 18 introduces granular control over contact sharing, allowing users to selectively share contacts with apps instead of granting access to their entire contact list. This feature enhances user privacy but creates new challenges for digital forensics.

DFIR Implications

The selective sharing of contacts means that investigators may only get a partial view of a user’s interactions when examining app data. This fragmented data landscape can make it more difficult to piece together comprehensive communication patterns.

Challenges:

  • Incomplete contact lists within apps
  • Difficulty in establishing comprehensive communication networks
  • Potential for missing key connections in investigations

Potential Solutions:

  1. Cross-referencing data: Utilize tools like Oxygen Forensic Detective to cross-reference data from multiple sources, including call logs, messaging apps, and email clients.

  2. Timeline analysis: Focus on creating comprehensive timelines using tools like Autopsy to identify patterns and connections that might not be immediately apparent from contact lists alone.

  3. Network analysis: Employ tools like IBM i2 Analyst’s Notebook to visualize and analyze communication patterns based on available data, even if contact information is incomplete.

  4. Metadata analysis: Pay closer attention to metadata from communications, which might reveal information about contacts even if they’re not explicitly shared with an app.

The new passwords app

iOS 18 introduces a dedicated Passwords app that centralizes the storage of iCloud Keychain logins, passwords, passkeys, Wi-Fi passwords, and verification codes. This consolidation of sensitive information presents both opportunities and challenges for digital forensics experts.

DFIR Implications

The Passwords app could potentially be a goldmine of information for investigators, providing access to a user’s digital life across multiple platforms and services. However, it’s also likely to be one of the most securely protected features on the device.

Challenges:

  • High-security measures protecting the Passwords app
  • Potential encryption of stored passwords and keys
  • Legal and ethical considerations in accessing this highly sensitive data

Potential Solutions:

  1. Specialized extraction tools: Look for updates to tools like Elcomsoft iOS Forensic Toolkit [https://www.elcomsoft.com/eift.html] that might provide methods for accessing the Passwords app data.

  2. Cloud-based extraction: If iCloud backups are available and accessible, tools like Magnet AXIOM Cloud might be able to extract password data synced to iCloud.

  3. Memory analysis: In some cases, it might be possible to extract passwords from the device’s RAM using tools like Belkasoft RAM Capturer.

  4. Legal procedures: Given the sensitive nature of this data, it’s crucial to ensure proper legal authorization before attempting to access the Passwords app. Consultation with legal experts and obtaining specific warrants may be necessary.

Private Cloud Compute: privacy in the Cloud

iOS 18 extends Apple’s privacy protections into the cloud with Private Cloud Compute for more complex requests. This feature ensures that even when data processing occurs in the cloud, it remains protected and private.

DFIR Implications

Private Cloud Compute poses significant challenges for digital forensics experts, as it may put certain types of data and processing out of reach.

Challenges:

  • Difficulty in accessing cloud-processed data
  • Potential loss of valuable metadata typically associated with cloud processing
  • Increased complexity in tracking user activities that involve cloud compute

Potential Solutions:

  1. Focus on device-resident data: Tools like BlackBag BlackLight can help extract and analyze data stored locally on the device.

  2. Legal avenues for cloud data: Work with legal teams to explore possibilities of obtaining warrants for cloud-stored data, even if it’s processed privately.

  3. Network traffic analysis: Use tools like Wireshark to analyze network traffic and potentially infer information about cloud compute activities.

  4. Forensic triage: Employ triage tools like ADF Digital Evidence Investigator to quickly identify and prioritize relevant data sources on the device.

On-Device Processing: When Data Stays Home

iOS 18 continues the trend of on-device processing for many AI models powering Apple Intelligence. This approach enhances user privacy by reducing data transmission to the cloud but creates new challenges for forensic investigators.

DFIR Implications

With more data being processed and potentially stored locally, investigators need to shift their focus to on-device analysis. However, this data may be stored in new or obscure locations on the device.

Challenges:

  • Identifying and accessing new data storage locations
  • Understanding the structure and format of locally processed data
  • Potential for increased data fragmentation across the device

Potential Solutions:

  1. Advanced file system analysis: Utilize tools like X-Ways Forensics to perform in-depth analysis of the iOS file system and identify new data storage locations.

  2. Reverse engineering: In some cases, it may be necessary to reverse engineer iOS components to understand how and where locally processed data is stored. Tools like Hopper Disassembler can be valuable for this purpose.

  3. Machine learning analysis: Employ tools with machine learning capabilities, such as Nuix Investigate, to identify patterns and extract insights from locally processed data.

  4. Real-time analysis: In cases where it’s possible and legal, consider using tools like Graykey for real-time analysis of device data.

ChatGPT integration: AI with Privacy

The integration of ChatGPT into iOS 18 comes with built-in privacy protections, such as IP address obscuring and no request storage by OpenAI. This feature demonstrates Apple’s commitment to providing advanced AI capabilities while maintaining user privacy.

DFIR Implications

The privacy measures implemented in the ChatGPT integration make it challenging to trace or recover user interactions with the AI assistant.

Challenges:

  • Difficulty in recovering ChatGPT conversation history
  • Lack of server-side logs to corroborate user activities
  • Potential for users to leverage ChatGPT for activities of investigative interest without leaving easily discoverable traces

Potential Solutions:

  1. Local storage analysis: Focus on analyzing local device storage for any cached data or logs related to ChatGPT interactions. Tools like UFED Physical Analyzer can be useful for this purpose.

  2. Keyboard cache analysis: Examine the device’s keyboard cache for remnants of user inputs to ChatGPT. Tools like Magnet IEF often include capabilities for analyzing keyboard caches.

  3. Memory analysis: In some cases, it might be possible to recover ChatGPT interactions from the device’s RAM. Tools like Belkasoft X include memory analysis capabilities for iOS devices.

  4. Correlation with other data: Look for correlations between ChatGPT usage timestamps and other user activities on the device to infer the context and potential content of AI interactions.

Satellite Message Encryption

iOS 18 introduces end-to-end encryption for messages sent via satellite, ensuring that only the sender and recipient can read the message contents. This feature extends secure communication capabilities to areas without traditional cellular or Wi-Fi coverage.

DFIR Implications

End-to-end encryption of satellite messages presents significant challenges for intercepting or decrypting these communications without access to the encryption keys.

Challenges:

  • Inability to intercept or decrypt satellite messages in transit
  • Difficulty in distinguishing encrypted satellite messages from other encrypted data on the device
  • Potential for users to leverage satellite messaging for covert communications

Potential Solutions:

  1. Device-centric approach: Focus on obtaining and analyzing the physical devices involved in satellite communications. Tools like Cellebrite Premium may be able to extract and decrypt locally stored satellite messages.

  2. Metadata analysis: Even if message contents are encrypted, metadata such as timestamps, frequency of communications, and approximate locations might provide valuable insights. Tools like IBM i2 Analyst’s Notebook can help visualize and analyze this metadata.

  3. Legal frameworks: Work within legal frameworks to obtain necessary warrants or court orders for accessing encrypted satellite messages. This might involve cooperation with satellite service providers or device manufacturers.

  4. Side-channel analysis: In some cases, it might be possible to infer information about satellite message contents through side-channel analysis of device behavior. Tools like Passware Kit Forensic might be helpful in analyzing encryption keys and processes.

Implications for Digital Forensics

The privacy enhancements in iOS 18 collectively represent a significant shift in the digital forensics landscape. As we’ve explored, each new feature introduces unique challenges that require adapting our techniques and tools. Here are some overarching implications for the DFIR community:

  1. Increased focus on device-level analysis: With more data being processed and stored locally, physical access to devices becomes even more crucial.

  2. Need for advanced decryption capabilities: As encryption becomes more pervasive, investing in advanced decryption tools and techniques will be essential.

  3. Importance of live analysis: In many cases, analyzing a device while it’s still powered on and in a unlocked state may be the only way to access certain types of data.

  4. Legal and ethical considerations: The enhanced privacy features will likely necessitate more specific and detailed legal authorizations for accessing certain types of data.

  5. Interdisciplinary approach: Collaboration between forensic experts, legal professionals, and software developers will become increasingly important to navigate the complex landscape of iOS 18.

Tools and Techniques for iOS 18 Forensics

To effectively conduct digital forensics on iOS 18 devices, investigators will need to leverage a combination of existing tools, updated software, and new techniques. Here are some key tools and approaches to consider:

  1. Cellebrite UFED and Physical Analyzer: These tools are likely to be updated to handle the new security features of iOS 18. They offer comprehensive extraction and analysis capabilities for iOS devices.

  2. Magnet AXIOM: Known for its ability to recover deleted data and analyze complex data sets, AXIOM will be crucial for piecing together fragmented evidence from iOS 18 devices.

  3. Elcomsoft iOS Forensic Toolkit: This tool specializes in iOS forensics and is likely to develop methods for accessing secured areas of iOS 18, including the new Passwords app.

  4. Oxygen Forensic Detective: With its focus on mobile and cloud forensics, this tool will be valuable for analyzing data across local storage and cloud services used by iOS 18.

  5. BlackBag BlackLight: This tool’s strength in analyzing file systems will be crucial for identifying and extracting data from new storage locations in iOS 18.

  6. Grayshift GrayKey: Known for its ability to bypass iOS security measures, GrayKey may be one of the first tools to offer solutions for accessing locked and hidden apps in iOS 18.

  7. Passware Kit Forensic: This tool’s password recovery and encryption analysis capabilities will be valuable for dealing with the enhanced encryption in iOS 18.

  8. XAMN: This tool from MSAB offers advanced analytics capabilities that will be useful for making sense of the complex data landscape in iOS 18.

In addition to these tools, investigators should also consider:

  • Developing custom scripts and tools to address specific challenges posed by iOS 18
  • Leveraging cloud forensics tools to access and analyze data that may be stored or processed in Apple’s cloud services
  • Employing memory forensics techniques to capture and analyze volatile data that might not be accessible through traditional means