Posted on: July 07, 2016in Blog
4 Things to Consider about iPhone OS for an MDM Policy
As consumer technology continues to infiltrate the corporate working environment, a proper information governance strategy is paramount to ensure that valuable business information is retained while stale data is purged to reduce legal and regulatory risk exposure.
Popular mobile devices all have unique operating systems - providing different hurdles for responding to a preservation trigger. Download this white paper to learn about the recovery, retention and preservation on each device.
Today's always-connected, mobile information worker generates an ocean of discoverable ESI that is essentially stored in their pocket or purse and likely falls just outside the sphere of administrative control. Prior to enacting a mobile device management policy, an organization must know exactly what devices it has, or will have in order to better understand the hurdles unique to each manufacturer or operating system.
iPhone OS Considerations
1. Method of SMS/MMS/Chat Storage
Apple devices such as the iPhone and iPad employ variations of the Apple Darwin operating system which was later branded as the “iPhone OS” and ultimately shortened to simply “iOS.” Apple devices currently store text message information inside a special-purpose SQLite database appropriately named “SMS.db.” When iOS 5 emerged in 2011, Apple added a special iOS-to-iOS messaging feature called iMessage. Although iMessages do not transmit via the Short Message Service (SMS) protocol, iMessages are also stored within the SMS.db structure.
2. Retention Scheme
With IOS 5, Apple capped the messaging database to 15 megabytes, or approximately 75,000 text messages. Once the limit is reached, the user receives a warning that his or her “SMS mailbox is full” and the user would need to delete messages in order to free up space. More recent iOS versions have expanded storage limits and, as an added bonus for information governance hawks, there is now an option available to automatically delete old messages after 30 days or one year. If a user opts instead to store messages “Forever,” they are retained until the user deletes them manually or until the device’s internal memory runs low, whereupon no additional messages can be stored (dependent again on the iOS version in use).
3. Deleted Item Recovery
When a user deletes a message, that message is simply flagged in the SMS database to be hidden from the user’s view. There is no evidence to suggest that the iPhone or iPad will automatically delete or overwrite messages, although a periodic “vacuum” routine purges deleted records from the SMS database. The vacuum occurs at “page level” in digital storage terms and one page of storage space generally holds up to 4 kilobytes of data. If every single SMS record stored on a particular page of memory has been marked for deletion, the records are permanently deleted; if there is even one single “active” message on that page, the entire page will remain intact. This can result in an anomaly where relatively older deleted messages are forensically recoverable, but relatively more recent deleted messages are not recoverable because they happen to occupy the same memory page as one or more currently-active messages.
iOS also features device-wide indexing and searching. Users may find on occasion that previously-deleted text messages are still visible when performing a device-wide search with Spotlight because the content has not been fully purged from the Spotlight index. It is also possible to search unallocated space on an iOS device; however, if the device is equipped with file-level encryption, unallocated space may be completely inaccessible because the keys used to encrypt the data at the time it was created have been discarded.
4. Legal Hold & Preservation Options
Although Apple does not provide a central, enterprise-level Mobile Device Management (MDM) suite of tools, iOS comes equipped with an MDM programming interface which allows an organization to use 3rd party tools to manage the devices. The MDM interface can be used to enforce security, usage, and configuration policies on the devices. It cannot, however, be used to view calendar entries, contact information, SMS or iMessage content, photos, call logs, or GPS information. Currently, there are no central administrative tools that can force SMS messages to expire or be deleted from an iOS device; even if such a management tool existed, expired messages may still be recoverable using forensic tools.
If an organization wishes to catalog or retain the user-generated content of an iOS device, they must either obtain a backup of the device via iTunes (or a 3rd party alternative) or deploy a forensic tool to capture a physical, file system, or logical image. The level of extraction is dependent upon the model and OS of the device. Alternatively, there are 3rd party applications that can be used to simply extract the SMS, iMessage, or other targeted data from the device when connected to a laptop or desktop computer. Although many of these tools are quite robust, they may fall short of a true enterprise solution and the demands of eDiscovery or law enforcement.
Another consideration for iPhone data retrieval is iCloud storage. With the continued integration between Apple’s iCloud and iOS, users now may choose to use iCloud Backup to save their device data. iCloud automatically backs up a user’s iOS device information daily over Wi-Fi when a device is turned on, locked, and connected to a power source. With the user’s AppleID and password, third-party tools like Elcomsoft Phone Breaker can access these backups. SMS or MMS messages that might have been deleted by the auto delete feature or by the end-user may still be accessible from those backups.
Initially a communication tool popular with teenagers and college students, SMS messaging is now a mature and ubiquitous collaboration channel. Recent case law suggest that this data, and SMS messages in particular, is no longer unduly burdensome to preserve and collect. Although the number of devices, operating systems, and 3rd party tools present a dizzying array of consumer and business options, a careful examination of the intersection of governance policy and MDM options is necessary exercise for organizations of all sizes.
- 3 Methods of Mobile Device Extractions and the Data Each Contains
- FBI vs. Apple - Thinking Outside the Phone
- BYOD and ESI | 5 Things You May be Leaving Out of Your BYOD Policy
- Requesting Every Text Message on Your Client's iPhone May Be Overkill [Video]
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted February 23, 2017
Women in eDiscovery Atlanta | New Data Technology Trends
Posted February 23, 2017
Corporate Internal Investigations Best Practices
Posted February 13, 2017
4 Key Internal Roles Involved with Conducting Corporate Investigations
Posted February 09, 2017
Corporate Internal Investigations: A Legal & IT Love Story [Webinar]
Posted February 09, 2017
Intellectual Property Theft: How to Ensure a Defensible Investigation
Posted February 02, 2017
Could the Amazon Echo be a New Source of ESI?
Posted January 26, 2017
Information Governance Policies: The Fundamental Building Block to eDiscovery
Posted January 25, 2017
4 Urban Legends about Analytics and e-Discovery
Posted January 19, 2017
Legal Hold Triggers: When Should You Document Your Reasonable Anticipation of Litigation?
Posted January 12, 2017
5 New Year's Resolutions from an Experienced eDiscovery Team