Featured news

Understanding the security impacts of iOS 18’s inactivity reboot

Beginning with iOS 18, Apple has added an inactivity reboot timer into the operating system that is tied only to the device’s lock state. This means that when the device has been locked for a period of three days (72 hours), the device reboots. Sounds simple, right? Well, it’s not quite so simple for the forensic community. This inactivity reboot has several important implications that should be discussed.

Where is this documented?

Well, that’s the funny thing. As of the time of the writing of this article in November of 2024, Apple had not yet documented this new security feature even though iOS 18 had been out for a few months. While Apple has a great set of documentation around their security features (which this could be considered), that document doesn’t get updated until months after a major release. As of November 2024, it was last updated in May 2024. While this feature was seen around the time of iOS 18.1, after confirming, it was actually introduced in the code of iOS 18.0.

Why would this reboot even be considered a security feature?

This is tied to how Apple protects its file system with encryption. Data is protected at different “class” levels depending upon certain conditions. This reboot ensures that data that is at rest for longer than three days gets rebooted so that it gets returned to its most secure state.

What triggers the inactivity reboot?

The inactivity reboot trigger is tied to the lock state of the device, not to network settings, charging status, nor data functions. This means that once a device has entered a locked state and has not been unlocked within 72 hours, it will reboot. There are no prompts or warnings displayed on the device to cancel or interrupt this process. It should be noted that while the timer is 72 hours (3 days) in iOS 18.1, it was originally for 7 days in iOS 18.0.

How the inactivity reboot affects forensic investigations

Because of the new inactivity reboot timer, it is now more imperative than ever that devices get imaged as soon as possible to ensure the acquisition of the most available data. If you’re dealing with a device where the passcode is known, this is not as large as a concern.

How do I know if my device rebooted?

If the iOS device does reboot, you’ll know this by taking a look at the lock screen. When you go to enter the password, it will display “Touch ID | Face ID requires your passcode when iPhone restarts” depending on what type of biometric you have enabled.

Screenshot of an iOS device login screen.

Because the full unified logs where we can find this information can be a bit overwhelming for examiners, it might be best to start by seeing WHEN the device reboot occurred. To do this, we can take a look at a handy log file within iOS, the shutdown.log file which can be found within the iOS file system at /private/var/db/diagnostics. This text file contains information on the reboots done on the system and lists them in chronological order, with the most recent reboot being at the end of the file. The value that we want to find is in the brackets next to the term “SIGTERM” which is a UNIX numeric timestamp (in seconds).

Screenshot of a text file that contains information on the inactivity reboots done on the system.
Screenshot of a text file that contains information on the inactivity reboots done on the system.

Within the logs for the device there are a couple of ways we can track to see what type of reboot was done as well. For iOS 18’s inactivity reboot, we can search across our unified logs of the device for “inactivity reboot” which should return the full message that we’re looking for, pictured below:

Screenshot of logs within the iOS device searching for inactivity reboot.

Prior to iOS 18, the inactivity reboot didn’t exist, but there were other reasons why the device could have rebooted. While reboots happened sporadically, if they did, it was usually due to a memory maintenance issue. When the process memory of an iOS device was too heavily used for too long, the iOS device could perform memory maintenance which could cause the device to reboot. In those situations, you could find the phrase “SystemMemoryReset” in the unified logs right before the reboot occurred.

How can Magnet Forensics help?

Magnet Graykey can provide same-day access to the latest iOS and Android devices to help you get the mobile evidence you need. And, to help you process mobile devices as quickly as possible, we also offer Graykey Fastrak which provides the ability to extract data from multiple mobile devices simultaneously, scaling up the capabilities of your Graykey.

If you are interested in learning more about Graykey’s iOS support or Graykey Fastrak, reach out to us at sales@magnetforensics.com. To learn more about the automated iOS reboot check out our knowledge base article: iOS 18 Automated Reboot Issues (customer credentials required).

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top