With every iOS update, Apple continues to tighten its grip on user privacy. The newly introduced iOS 18 is no different, bringing a suite of privacy features that are bound to make our lives as digital forensic experts a tad more challenging. Keep in mind, this is a beta release, we do not know what the final released version will look like and what the true impact of these changes may be. Let us dive into these features, understand their implications, and explore how we might navigate these new hurdles.
Locked and Hidden Apps: The New Fort Knox
What’s New: iOS 18 allows users to lock or hide any app on their device. Locked apps require Face ID, Touch ID, or a passcode to access, even when the iPhone is unlocked. Hidden apps are removed from the home screen and placed in a hidden folder that also requires authentication to access.
Forensics Impact: This feature could significantly hinder our ability to access certain apps and their data. While locked apps are not new, the combination with hidden apps adds an extra layer of difficulty. Traditional methods might not suffice, necessitating advanced techniques or obtaining the necessary authentication credentials through legal channels.
Improved Contacts Permission: A New Layer of Privacy
What’s New: Users can now selectively share contacts with apps instead of granting access to their entire contact list. This granular control over contact sharing limits the amount of contact information available to forensic investigators when examining app data.
Forensics Impact: Selective sharing means we might only get a partial view of contact interactions, making it harder to piece together comprehensive communication patterns. We need to adapt by focusing on other sources of contact data, such as call logs and messaging apps.
The New Passwords App: A Double-Edged Sword
What’s New: iOS 18 introduces a dedicated Passwords app that stores iCloud Keychain logins, passwords, passkeys, Wi-Fi passwords, and verification codes.
Forensics Impact: This centralized storage could either be a treasure trove or a Pandora’s box. On one hand, accessing this app with proper authorization could provide valuable insights. On the other hand, its enhanced security measures might pose significant extraction challenges. We need to stay updated on the latest methods to secure access to this app when warranted.
Private Cloud Compute: Privacy Elevated
What’s New: Apple Intelligence in iOS 18 uses Private Cloud Compute for more complex requests, extending privacy and security protections into the cloud
Forensics Impact: Data processed in the cloud might be out of reach, complicating efforts to gather comprehensive evidence. This requires us to develop new strategies, focusing more on device-resident data and the legal avenues to access cloud-stored information.
On-Device Processing: Data Stays Home
What’s New: Many of the AI models powering Apple Intelligence run entirely on the device, reducing data transmission to the cloud.
Forensics Impact: While this increases user privacy, it also means that certain types of processed data may not be stored in easily accessible locations. Direct access to the device and real-time analysis become even more critical in such scenarios.
ChatGPT Integration: A New Kid on the Block
What’s New: The integration of ChatGPT into iOS 18 comes with built-in privacy protections, such as IP address obscuring and no request storage by OpenAI.
Forensics Impact: Tracing or recovering user interactions with ChatGPT could become a herculean task. Investigators must be innovative, perhaps focusing on device logs and local storage to gather necessary evidence.
Satellite Message Encryption: End-to-End Security
What’s New: Messages sent via satellite on iOS 18 are end-to-end encrypted, ensuring that only the sender and recipient can read the message.
Forensics Impact: End-to-end encryption makes it almost impossible to intercept or decrypt messages without the encryption keys. This shifts the focus to obtaining the involved devices and working within legal frameworks to access the data.
Key Points on Satellite Message Encryption
- End-to-End Encryption: Ensures that messages remain secure and private during transmission.
- Robust Algorithms: Likely employs strong encryption standards like AES-256.
- Holistic Security Approach: Emphasizes securing the entire communication system, including both satellite and ground components.
Implications for Digital Forensics
- Data Access Challenges: Accessing encrypted messages without the keys is nearly impossible, necessitating device access.
- Legal and Technical Workarounds: Legal methods and technical exploits might be required, always within ethical boundaries.
- Focus on Device Forensics: With data in transit secured, device-level analysis becomes paramount.
Wrapping Up
iOS 18’s privacy enhancements represent a significant leap in user data protection, posing new challenges for us in digital forensics. As technology evolves, so must our techniques and tools. We need to stay ahead of the curve, continually adapting to ensure we can still extract valuable insights while respecting legal and ethical standards.
Actionable Steps
- Stay Informed: Regularly update your knowledge on the latest iOS features and their forensic implications.
- Invest in Training: Focus on advanced training for handling encrypted and cloud-based data.
- Collaborate: Work closely with legal teams to ensure compliance with evolving privacy laws.
- Innovate: Develop and adopt new forensic tools and techniques to navigate these privacy enhancements.
View original post here.
HaystackID Blog | July 8, 2024
By John Wilson, CTCE, FDACS, Chief Information Security Officer and President of Forensics, HaystackID
HaystackID Blog Editor’s Note: This article, authored by John Wilson, Chief Information Security Officer and President of Forensics at HaystackID, examines the implications of iOS 18’s new privacy features for digital forensics and offers practical strategies for digital forensic experts to handle these new challenges. Wilson is a strategic, results-oriented leader with over 20 years of experience in information security and risk management. He excels in building robust security governance, policies, and INFOSEC teams, providing expert leadership, and assisting diverse organizations in developing enterprise-level information security programs that balance strong security practices with business needs. Wilson and his team developed HaystackID’s Mobile Elite Discovery and Analysis Lab (MEDAL) Suite, which equips legal teams with the tools for swift remote triage, targeted data extraction, and efficient review processes for mobile data.
Contact Granite Discovery to learn more about our services and how we can help you.