A gift from Apple a day puts deleted data in play

A small gift from Apple sees an Apple Backup yield more fruit for forensic examiners. In this blogpost, we’ll cover the extremely popular mobile operating system, iOS and take a look at this ‘gift’. Inadvertent or planned on their side, we cannot know for sure. But the bottom line is that we can reap some benefits from the iOS 17.4 update.  

Let’s see what it’s all about.  

IOS 17.4 – More deleted data from the iTunes backups with XRY? Yes, please! 

Finding deleted data is, of course, crucial for all digital forensic examiners. Within it, you may find paramount pieces of evidence that can make or break your case. 

Here at MSAB we are finding that as of iOS 17.4, we are now decoding more deleted data than ever before from iTunes backups. A big thank you to Johan Persson from our Smartphone team who informed me about this change. 

As you’re probably already aware, SQLite databases are the dominant form of storage used by mobile devices. Prior to the arrival of 17.4, when an SQLite database was part of the iTunes backup via iOS it underwent a process known as vacuum, which results in a compacted database. This leads to a compressed backup for the end user, but it has a knock-on effect for examiners because forensic tools may struggle to extract and decode previously deleted data. 

Apple are notoriously efficient in data cleansing – this is widely known within the forensic community. However, they need to also think of the end customer when making changes to their operating system to enhance the user experience. 

An example of the differences can be seen in the below screenshots. iOS 17.3.1 is Figure 1.0 and iOS 17.4 is Figure 2.0. These extractions were before and after the device updated to the latest iOS with no changes taking place on the handset. 

Figure 1.0 – Extraction of iOS 17.3.1

Figure 2.0 – Extraction of iOS 17.4

With the arrival of iOS 17.4 we have observed that Apple appear to have stopped compacting the SQLite database files added to the iTunes backup. The result is that we now can find more deleted data than ever before in the iTunes backup. 

Now, of course, it is possible that this change was intentional since pre-processing all the database files when creating an iTunes backup is a time-consuming activity and therefore has a price on the battery life of the device. Either way, this is good news for the entire digital forensics industry. 

So, how are we able to decode more data? 

As Apple are no longer compacting their backups, we now have access to not only the .db files but we also have access to the associated .db-shm and .db-wal files. For those examiners who are used to working with these files, you will realize the importance of being able to decode data from them. 

An example of this can be seen in the below screenshots, iOS 17.3.1 is Figure 3.0 and 17.4 is Figure 4.0. In this example we can see that not only do we have the .db file sms but also the associated .db-shm and .db-wal files. 

Is this a long-term solution? 

Was it intended; will we have access for long?  

This is Apple, so nobody knows. For now, however, it is good news for the consumer because this update leads to less impact on their device. And it is good news for the forensic community who now have access to these extremely important files.  

With XRY, the deleted data from the iTunes backups is ready to reveal some of its previously impenetrable secrets. This has the potential to make a real difference in your investigations.  

About the author:

Adam Firman is the MSAB Tech Evangelist. He boasts a distinguished career in law enforcement, with over 15 years’ experience as a police officer and proficiency in various digital forensic solutions. He is well-versed in industry standards related to digital forensics and has been a certified trainer since 2014. He is a frequent speaker at global industry events on digital forensic topics and has served as an expert witness in high-profile court cases. Adam is deeply committed to serving and protecting the community.