Skip to main content
SearchLoginLogin or Signup

iOS Settings Display Auto-Lock & Require Passcode

Published onJun 02, 2022
iOS Settings Display Auto-Lock & Require Passcode
·

Synopsis

Forensics Question:
Where in an iPhone extraction is the Display Auto-Lock setting stored?

OS Version:
Apple iPhone 6s Plus

iOS: 14.4.2 (18D70)

Older iOS versions checked: 12.4.8 and 13.5.1

Tools:
Cellebrite UFED 4PC 7.47.0.247

Cellebrite Physical Analyzer 7.47.0.58 & 7.48.0.49

Magnet AXIOM 5.4.0.26185

ArtEx 1.6.0.0 & 2.0.0.4

Mushy 2.0.0.6

A classmate of mine contacted me and posed a question, “Where in an iPhone extraction is the Display Auto-Lock setting stored?” Thanks, Tyler Wuestenhagen, for posing the question and getting me thinking.

I did a little research, like reviewing the SANS FOR585 poster and class notes, but could not find the easy answer. I reached out to some other examiners, and they too were a bit puzzled about where those settings might be saved or which property list (plist) they might be stored in.

Tyler was able to narrow down the search when he discovered the PublicEffectiveUserSettings.plist. This plist can be found at the following location on iPhone extractions: \private\var\mobile\Library\UserConfigurationProfiles\PublicInfo\

After learning about the plist, I started working on testing and validating the data stored in the plist.

During testing, the data was acquired using the following tools and methods. The PublicEffectiveUserSettings.plist was found in each of the data extractions listed:

Cellebrite Advance Logical Extraction – UFED 4PC

Cellebrite Advance Logical Full File System – device jailbroken with Checkm8 – UFED 4PC

ArtEx ArtExtraction – Full Extraction – device jailbroken with Checkm8

ArtEx ArtExtraction – Live Connection – device jailbroken with Checkm8

Graykey Full File System

Based on testing, I have determined there are several device settings stored within the PublicEffectiveUserSettings.plist, but I will only be discussing two of those settings: the Display Auto-Lock setting and the Required Passcode setting.

A screenshot of a phone Description automatically generated with medium confidence

Figure 1

Display & Brightness Auto-Lock Setting:

In the Display & Brightness setting there is a setting titled Auto-Lock as seen in Figure 2.

Figure 2

During testing, the Display Auto-Lock options were 30 Seconds, 1 Minute, 2 Minutes, 3 Minutes, 4 Minutes, 5 Minutes and Never:

Figure 3

These Display Auto-Lock settings are stored in the PublicEffectiveUserSettings.plist in seconds. For example: if the Display Auto-Lock setting is set to auto-lock after 2 minutes as seen in Figure 3, the value key integer will be “120” meaning 120 seconds or 2 minutes.

To find this value key integer within the PublicEffectiveUserSettings.plist you will need to find the restrictedValue key, then the maxInactivity key. Once you have located these keys you will notice an integer that represents the setting value in seconds, as seen in Figure 4.

Apple Developer website, https://developer.apple.com/documentation/devicemanagement/passcode, defines maxInactivity as “the maximum number of minutes for which the device can be idle, without being unlocked by the user, before it gets locked by the system. When this limit is reached, the device is locked and the passcode must be entered. The user can edit this setting, but the value cannot exceed the maxInactivity value.”

Figure 4

You will also notice a key for rangeMinimum. This key integer is the value in seconds for the minimum setting. Notice in Figure 3, the minimum setting is 30 seconds.

Note: There are several ways to view property lists, that include on an Apple computer, within forensic tools and third party plist viewing tools. In this instance, I used Ian Whiffin’s “Mushy PLIST Viewer,” which can be downloaded at the following link along with his other FREE tools: https://www.doubleblak.com/software.php

Touch ID & Passcode Require Passcode Setting:

In the Touch ID & Passcode settings there is a setting titled “Require Passcode” as seen in Figure 5.

Figure 5

During testing, the Require Passcode options were Immediately, After 1 minute, After 5 minutes, After 15 minutes, After 1 hour and After 4 hours:

Figure 6

Similarly with the Display Auto-Lock settings, these settings are stored in the PublicEffectiveUserSettings.plist in seconds. For example: if Require Passcode setting is set to be required after 5 minutes as depicted in Figure 6, the value key integer will be “300” meaning 300 seconds or 5 minutes.

To find this value key integer within the PublicEffectiveUserSettings.plist you will need to find the restrictedValue key, then the maxGracePeriod key. Once you have located these keys, you will notice an integer that represents the setting value in seconds, as seen in Figure 7.

Apple Developer website, https://developer.apple.com/documentation/devicemanagement/passcode, defines maxGracePeriod as “the maximum grace period, in minutes, to unlock the phone without entering a passcode. The default is 0, which is no grace period and requires a passcode immediately.”

Figure 7

In Figure 7 you will notice additional keys are highlighted. The additional keys listed under the maxGracePeriod key, are rangeMaximum and rangeMinimum. These keys indicate the maximum setting and minimum setting within the setting menu as seen in Figure 6.

During testing, I made changes to the device settings six times. Below are the device settings followed by the values listed in the PublicEffectiveUserSettings.plist.

Test One

No passcode

Display Auto-Lock = 2 minutes

Require Passcode = not set

maxInactivity value = 120

maxGracePeriod value = 0

Test Two

6-digit passcode

Display Auto-Lock = 30 seconds

Require Passcode = immediately

maxInactivity value = 30

maxGracePeriod value = 0

Test Three

6-digit passcode

Display Auto-Lock = never

Require Passcode = 1 minute

maxInactivity value = 2147483647

maxGracePeriod value = 60

Take note, in test three, the Screen Auto-Lock setting was set to never and the maxInactivity value is “2147483647.”

Test Four

6-digit passcode

Display Auto-Lock = 1 minute

Require Passcode = 5 minute

maxInactivity value = 60

maxGracePeriod value = 300

Test Five

6-digit passcode

Display Auto-Lock = 3 minutes

Require Passcode = 4 hours

maxInactivity value = 180

maxGracePeriod value = 14400

Test Six

No passcode

Display Auto-Lock = 2 minutes

Require Passcode = 5 minutes

maxInactivity value = 120

maxGracePeriod value = 300

After testing, I removed the passcode from the test device. When I checked the settings for Require Passcode, it was grayed out, but was still set on the last setting, which was after 5 minutes as seen in Figure 8.

Figure 8

After noticing this, I conducted another extraction and discovered the plist maxGracePeriod value was still set at 300 seconds. I tested to determine if this setting was still active even though the device did not have a passcode. I changed the Display Auto-Lock setting to never, turned the screen on and set the device on my desk. After 5 minutes, the display did not auto-lock and the device did not require a passcode, thus even though this setting was still set in the plist, it was not active and did not make any changes to the device status.

Consideration: I did not test every possibility using these settings. You should also consider additional factors might affect these settings prior to the data acquisition. An example of this could be a first responder / different examiner making changes to these settings when the device is seized or when the data is acquired but failed to document these changes. Some forensic tools recommend making changes to these settings prior to data acquisition.

In conclusion, I would like to say thanks to everyone who assisted with validation of this writeup. I hope this information will help you with future analysis.

DFIR Review

The author provides clear documentation of the testing procedures as well as references to the Apple Developer website. The inclusion of specific graphics from the mobile device, and the property list files certainly appeases the visual learner whom may be quickly researching the methodology. The author has provided sufficient details to allow others to replicate the tests conducted and has described the steps needed to validate the tests conducted.

The reviewers found that the pertinent file can be found in an iOS backup (DeviceUDID/3a/3aef6f188cf22d663030b159b271f1f2591cf56a) so forensic tools are not needed to identify this information.

It was suggested that the author also mention the existence of the same file and the same settings on iPadOS. On iPadOS, the Display Auto-Lock options are 2 minutes, 5 minutes, 10 minutes, 15 minutes and Never. It was also suggested that “Touch ID & Passcode” settings could be “Face ID & Passcode” depending on the device being used. It was also noted that if the user configured their device with Touch ID or Face ID, the Require Passcode setting is automatically set to Immediately. This is the only option available and therefore cannot be changed by the user.

One important factor having an influence on this setting is the handling of the device by the examiner or first responders before extraction. This setting is sometimes modified to avoid locking an unlocked phone when the password is unknown. As discussed by the author, common extraction tools require the examiner to change the auto-lock setting to “never”. It is important to emphasize the importance of the chain of custody and documentation of any modifications applied to the phone before reporting about a setting, because it may not correspond to the original value set by the user.

Future Work

Future work could include looking at devices that are jailbroken vs. devices that are not jailbroken.

Reviewers

Eric Eppley (Methodology Review)

Anthony Knutson (Methodology Review, Validated Review Using Reviewer Generated Datasets)

Johann Polewczyk (Methodology Review, Validated Review Using Reviewer Generated Datasets)

Aurèle Scoundrianos (Methodology Review, Validated Review Using Reviewer Generated Datasets)

Comments
0
comment
No comments here
Why not start the discussion?