Forensics Question: | |
OS Version: iOS: 14.4.2 (18D70) Older iOS versions checked: 12.4.8 and 13.5.1 | |
Tools: Cellebrite Physical Analyzer 7.47.0.58 & 7.48.0.49 Magnet AXIOM 5.4.0.26185 ArtEx 1.6.0.0 & 2.0.0.4 Mushy 2.0.0.6 |
A classmate of mine contacted me and posed a question, “Where in an iPhone extraction is the Display Auto-Lock setting stored?” Thanks, Tyler Wuestenhagen, for posing the question and getting me thinking.
I did a little research, like reviewing the SANS FOR585 poster and class notes, but could not find the easy answer. I reached out to some other examiners, and they too were a bit puzzled about where those settings might be saved or which property list (plist) they might be stored in.
Tyler was able to narrow down the search when he discovered the PublicEffectiveUserSettings.plist. This plist can be found at the following location on iPhone extractions: \private\var\mobile\Library\UserConfigurationProfiles\PublicInfo\
After learning about the plist, I started working on testing and validating the data stored in the plist.
During testing, the data was acquired using the following tools and methods. The PublicEffectiveUserSettings.plist was found in each of the data extractions listed:
Cellebrite Advance Logical Extraction – UFED 4PC
Cellebrite Advance Logical Full File System – device jailbroken with Checkm8 – UFED 4PC
ArtEx ArtExtraction – Full Extraction – device jailbroken with Checkm8
ArtEx ArtExtraction – Live Connection – device jailbroken with Checkm8
Graykey Full File System
Based on testing, I have determined there are several device settings stored within the PublicEffectiveUserSettings.plist, but I will only be discussing two of those settings: the Display Auto-Lock setting and the Required Passcode setting.
Figure 1
Display & Brightness Auto-Lock Setting:
In the Display & Brightness setting there is a setting titled Auto-Lock as seen in Figure 2.
Figure 2
During testing, the Display Auto-Lock options were 30 Seconds, 1 Minute, 2 Minutes, 3 Minutes, 4 Minutes, 5 Minutes and Never:
Figure 3
These Display Auto-Lock settings are stored in the PublicEffectiveUserSettings.plist in seconds. For example: if the Display Auto-Lock setting is set to auto-lock after 2 minutes as seen in Figure 3, the value key integer will be “120” meaning 120 seconds or 2 minutes.
To find this value key integer within the PublicEffectiveUserSettings.plist you will need to find the restrictedValue key, then the maxInactivity key. Once you have located these keys you will notice an integer that represents the setting value in seconds, as seen in Figure 4.
Apple Developer website, https://developer.apple.com/documentation/devicemanagement/passcode, defines maxInactivity as “the maximum number of minutes for which the device can be idle, without being unlocked by the user, before it gets locked by the system. When this limit is reached, the device is locked and the passcode must be entered. The user can edit this setting, but the value cannot exceed the maxInactivity value.”
Figure 4
You will also notice a key for rangeMinimum. This key integer is the value in seconds for the minimum setting. Notice in Figure 3, the minimum setting is 30 seconds.
Note: There are several ways to view property lists, that include on an Apple computer, within forensic tools and third party plist viewing tools. In this instance, I used Ian Whiffin’s “Mushy PLIST Viewer,” which can be downloaded at the following link along with his other FREE tools: https://www.doubleblak.com/software.php
Touch ID & Passcode Require Passcode Setting:
In the Touch ID & Passcode settings there is a setting titled “Require Passcode” as seen in Figure 5.
Figure 5
During testing, the Require Passcode options were Immediately, After 1 minute, After 5 minutes, After 15 minutes, After 1 hour and After 4 hours:
Figure 6
Similarly with the Display Auto-Lock settings, these settings are stored in the PublicEffectiveUserSettings.plist in seconds. For example: if Require Passcode setting is set to be required after 5 minutes as depicted in Figure 6, the value key integer will be “300” meaning 300 seconds or 5 minutes.
To find this value key integer within the PublicEffectiveUserSettings.plist you will need to find the restrictedValue key, then the maxGracePeriod key. Once you have located these keys, you will notice an integer that represents the setting value in seconds, as seen in Figure 7.
Apple Developer website, https://developer.apple.com/documentation/devicemanagement/passcode, defines maxGracePeriod as “the maximum grace period, in minutes, to unlock the phone without entering a passcode. The default is 0, which is no grace period and requires a passcode immediately.”
Figure 7
In Figure 7 you will notice additional keys are highlighted. The additional keys listed under the maxGracePeriod key, are rangeMaximum and rangeMinimum. These keys indicate the maximum setting and minimum setting within the setting menu as seen in Figure 6.
During testing, I made changes to the device settings six times. Below are the device settings followed by the values listed in the PublicEffectiveUserSettings.plist.
Test One
No passcode
Display Auto-Lock = 2 minutes
Require Passcode = not set
maxInactivity value = 120
maxGracePeriod value = 0
Test Two
6-digit passcode
Display Auto-Lock = 30 seconds
Require Passcode = immediately
maxInactivity value = 30
maxGracePeriod value = 0
Test Three
6-digit passcode
Display Auto-Lock = never
Require Passcode = 1 minute
maxInactivity value = 2147483647
maxGracePeriod value = 60
Take note, in test three, the Screen Auto-Lock setting was set to never and the maxInactivity value is “2147483647.”
Test Four
6-digit passcode
Display Auto-Lock = 1 minute
Require Passcode = 5 minute
maxInactivity value = 60
maxGracePeriod value = 300
Test Five
6-digit passcode
Display Auto-Lock = 3 minutes
Require Passcode = 4 hours
maxInactivity value = 180
maxGracePeriod value = 14400
Test Six
No passcode
Display Auto-Lock = 2 minutes
Require Passcode = 5 minutes
maxInactivity value = 120
maxGracePeriod value = 300
After testing, I removed the passcode from the test device. When I checked the settings for Require Passcode, it was grayed out, but was still set on the last setting, which was after 5 minutes as seen in Figure 8.
Figure 8
After noticing this, I conducted another extraction and discovered the plist maxGracePeriod value was still set at 300 seconds. I tested to determine if this setting was still active even though the device did not have a passcode. I changed the Display Auto-Lock setting to never, turned the screen on and set the device on my desk. After 5 minutes, the display did not auto-lock and the device did not require a passcode, thus even though this setting was still set in the plist, it was not active and did not make any changes to the device status.
Consideration: I did not test every possibility using these settings. You should also consider additional factors might affect these settings prior to the data acquisition. An example of this could be a first responder / different examiner making changes to these settings when the device is seized or when the data is acquired but failed to document these changes. Some forensic tools recommend making changes to these settings prior to data acquisition.
In conclusion, I would like to say thanks to everyone who assisted with validation of this writeup. I hope this information will help you with future analysis.
The author provides clear documentation of the testing procedures as well as references to the Apple Developer website. The inclusion of specific graphics from the mobile device, and the property list files certainly appeases the visual learner whom may be quickly researching the methodology. The author has provided sufficient details to allow others to replicate the tests conducted and has described the steps needed to validate the tests conducted.
The reviewers found that the pertinent file can be found in an iOS backup (DeviceUDID/3a/3aef6f188cf22d663030b159b271f1f2591cf56a) so forensic tools are not needed to identify this information.
It was suggested that the author also mention the existence of the same file and the same settings on iPadOS. On iPadOS, the Display Auto-Lock options are 2 minutes, 5 minutes, 10 minutes, 15 minutes and Never. It was also suggested that “Touch ID & Passcode” settings could be “Face ID & Passcode” depending on the device being used. It was also noted that if the user configured their device with Touch ID or Face ID, the Require Passcode setting is automatically set to Immediately. This is the only option available and therefore cannot be changed by the user.
One important factor having an influence on this setting is the handling of the device by the examiner or first responders before extraction. This setting is sometimes modified to avoid locking an unlocked phone when the password is unknown. As discussed by the author, common extraction tools require the examiner to change the auto-lock setting to “never”. It is important to emphasize the importance of the chain of custody and documentation of any modifications applied to the phone before reporting about a setting, because it may not correspond to the original value set by the user.
Future work could include looking at devices that are jailbroken vs. devices that are not jailbroken.
Eric Eppley (Methodology Review)
Anthony Knutson (Methodology Review, Validated Review Using Reviewer Generated Datasets)
Johann Polewczyk (Methodology Review, Validated Review Using Reviewer Generated Datasets)
Aurèle Scoundrianos (Methodology Review, Validated Review Using Reviewer Generated Datasets)