iOS 14 – First Thoughts and Analysis
Well, I thought I was going to take a break this week from mobile but Apple decided that wouldn’t be the case. It dropped iOS 14 this week on us after its big announcement event on Tuesday. While we didn’t get any new iPhones, they did announce some swanky new watches and iPads. They also announced that iOS 14 would be dropped the following day. Obviously I had to take a look.
Starting prior to the launch of iOS 14, I took a couple of backups of my test iPad. One with encryption and one without. All was expected to be with iOS 13.7. After downloading iOS 14 (or iPadOS 14 if you want to get super technical), I proceeded the same. Took two backups, one with encryption, and one without. Here are some preliminary thoughts on the data and procedures with more to come over the coming posts.
[Note: all of the backups were taken either using iTunes on Windows or the built-in functionality of Finder in macOS 10.15.6 I also attempted using several versions of libimobiledevice but it wasn’t able to generate backups.]
To see a bigger picture I also took my daily driver iPhone which I upgraded to iOS 14 for the same spin. Didn’t grab a 13.7 to compare it to, but still parsed it for information and all was I generally expected.
Encryption
Encrypting the backups worked the same in iOS 14 as it did in 13.7. It still requires the use of the PIN code or password in order to set a backup encryption password on the device. Decrypting the data also seemed to use the same method as it did in 13.7. I used AXIOM to decrypt and parse the backups and it worked just as expected.
Encryption vs No Encryption
As in iOS 13.7, several data points were only available with backup encryption enabled. These were:
- Keychain
- Healthkit
- Call Logs
- Safari History
Artifact Locations
While I’m sure we’ll continue to find data in different places for a while to come, I wanted to highlight some of the BIG artifacts and where they live. For the most part, these all seemed to be exactly where they were expected to be with iOS 13.7.
- SMS: HomeDomain-Library/SMS/sms.db
- Call Logs: HomeDomain-Library/CallHistoryDB/CallHistory.storedata
- Contacts: HomeDomain-Library/AddressBook/AddresBook.sqlitedb
- Safari: HomeDomain-Library/Safari
- History.db
- Bookmarks.db
- BrowserState.db
- Other Safari Data: AppDomain-com.apple.mobilesafari
- Library/Preferences/com.apple.mobilesafari.plist
- Library/Safari/[Same PerSitePreferences.db and UserMediaPermissions.plist as mentioned in blog post here]
- [iPadOS]Downloads/Downloads.plist
My Voicemails, Calendar, and even data from my Files app (mentioned here) all seemed to be in the right places too.
And while the numbers don’t line up perfectly in the following screenshots (because I had to push a clean IPSW of iOS 14 to my device and restore from a backup, plus a teeny bit of extra checking on a few things in 14), you should be able to see that unlike a lot of developers buildings apps for iOS14, it shouldn’t catch us too off-guard.
Full Filesystem Images
If you’ve already got a way to obtain full filesystem images for iOS 14, what awaits you? Well, good news it seems. The important stuff that you’d want like location data, KnowledgeC, and PowerLog information all seem to be in place.
I’ve seen a few other things that are going to require a bit more in-depth research so keep an eye out for those. There’s still some things to look at with widgets and other “@” mentions in group threads but that’s still to come. iOS 14 isn’t done with us yet, there’s still several other features like AppClips that might come in to play as more developers start to release iOS 14 applications that can take advantage of these things. The good news final note? For once, I feel less like the mouse and more like the cat in this little game we play with Apple OS releases. Until next time folks!
This post was authored by Christopher Vance, Manager, Curriculum Development at Magnet Forensics. It also appears on his D20 Forensics Blog.