Apple has released its new mobile operating system, iOS 16, which has several implications in e-discovery circles.
The update includes functional and aesthetic changes such as a redesigned and more customizable lock screen and more robust focus features to help in setting app boundaries. It also has privacy and security updates, such as the ability to share health data with trusted contacts.
However, the new messaging features in iOS 16 have a tremendous impact on digital forensics. Among these features is the ability to edit and recall — or, in Apple jargon, unsend — iMessages with some restrictions, wherein deleted messages are moved to the Recently Deleted folder for 30 days before being permanently removed from the device. These features create potential implications for the litigation process, internal business investigations, and beyond.
HOW THE NEW MESSAGING FEATURE WORKS
iOS 16 users have a 15-minute window to make changes and only two minutes to unsend iMessages. The edit and unsend feature only work for iMessages, which means it would not work for SMS text messages.
If both users are using iOS 16, a note appears in the conversation thread showing that a specific message has been edited, and both users can tap to view the unedited versions of the iMessages. A notification also appears when an iMessage is unsent, but neither user can access the unsent message.
If the recipient has not upgraded to iOS16, edited messages will appear as a second message beginning with “edited to:,” and unsent messages will not be removed from the recipient device, though a notice showing that the sender attempted to unsend a message will appear.
Both iMessages and SMS text messages still have the feature to recover deleted messages. Any message deleted after upgrading to iOS 16 will be marked as recently deleted and remain on the device for 30 days.
After 30 days, the messages roll off the device. It includes both deleted single messages and deleted conversation threads. Users can double-delete messages by accessing and deleting recently deleted messages and deleting them again. Notably, unsent messages are not recoverable as recently deleted on either device.
In digital forensic analysis, the modified iMessages appear only as empty chats in the collected conversation thread. It is recoverable, but only by searching the phone’s messaging database. A manual process is needed to link the messages to the proper conversation thread.
On the other hand, the content of an unsent message does not show up in either phone’s messaging database. However, a row in the database has metadata signals indicating that a message was unsent.
Additionally, recently deleted messages are still present on the phone, but they exist as single orphaned messages, not entire conversation threads. Putting them back together into a complete conversation thread will take more manual work.
WHY IT’S IMPORTANT FOR DIGITAL FORENSIC ANALYSIS
For legal teams and investigators regularly monitoring and gathering from iOS devices for investigations and litigations, it is crucial to apprehend how the new messaging capabilities may affect the ability to preserve and recover evidence.
An essential consideration of these changes is that they are consistent in light of the increasing modification, delete, mask, and recovery features of messaging applications. In many cases, these messaging tools have made it difficult for investigators to follow the trail of evidence. Some of these changes within iOS 16 (e.g., message editing and recall) will follow that trend.
Another potential legal implication of editing and deleting recently sent messages and recovering deleted messages are the spoliation of evidence and e-discovery.
Evidence spoliation happens when one party suspects or discovers that the other party has intentionally, negligently, or accidentally destroyed relevant evidence. The consequences of evidence tampering can be severe, ranging from adverse inferences against the party who destroyed the evidence to monetary sanctions and claim dismissal. Courts do not take it lightly, nor should have those involved in the judicial process.
The discovery of electronically stored information (ESI), such as text messages on a party’s cellphone, has also created complex, costly, and time-consuming challenges for legal practitioners. It affects e-discovery practices in different ways. Litigants will likely see increased requests for document production to include recently deleted iMessage text messages or interrogatories regarding whether, when, and why critical text exchanges may have been edited or deleted.
Forensic collection and analysis tools will certainly catch up with and automate some, if not all, of the manual work associated with edited and recently deleted messages from iOS 16 devices. However, phones with large volumes of edited or recently deleted messages may significantly increase the time, burden, and expense of processing and analyzing the devices until automation comes.
Most significantly, attorneys may need to adjust for this new functionality when assessing and implementing client discovery and investigation response strategy. Companies and their counsel should be aware of this functionality, its implications for their legal holds, policies, and practices, and how to deal with it during a legal matter.
Consider how this new feature may affect e-discovery processes in mobile data disputes: if legal hold instructions should be updated about editing or unsending relevant iMessages in cases where an ongoing preservation duty exists, as well as the possibility of restoring recently deleted messages.
During custodian interviews, counsel also often confirms mobile device settings, such as the last backup date and message retention settings. Inquiring whether relevant texts have been edited or remain unsent may be appropriate. It is also attentive to confirm if any recently deleted texts have been restored. Any additional information will benefit the technical team when searching the messaging database.
Time will tell how the new iOS 16 affects evidence collection and e-discovery, but it is an innovative idea to start thinking about how these new features might affect processes and policies. When an iOS16 device is discovered in litigation or under investigation, planning and adjusting now may pay off later. Digital forensics experts will know where to look and what to look for and can use the soft delete feature and records of other message changes to uncover artifacts that will help paint a picture of what was happening on a device and when.