Fall is full of new data in iOS 16 messages

Written by Amber Schroader

With each fall we see changes in the smartphone world with new firmware updates that bring extra spice to the pumpkin spice season. This year was not an exception with iOS 16 showing lots of new data that will add to our digital investigations.

iOS 16 held a lot of changes in general that were designed to make your Apple experience better. A full review of all the changes can be found here. Some of the larger forensic impacts of these updates are focused on messaging.

Now messages can have new “status” levels that can change how we see them in digital evidence. Here are some of those status changes.

Edit a Message

You can edit a message after the send has happened. This will be revolutionary for drunk texting but will change a lot of the intent of the message when it comes to it as digital evidence.

Mark as unread

You can’t believe what the status message says anymore if a message was read or not. You will stay in the limbo of wonder with the ability to change that status manually.

Recover recently deleted messages

This is a nice comeback from iOS 12 days when we all lost the ability to recover deleted messages in iOS. Now you can recover deleted messages for up to 30-days from the deletion time. Digital evidence just got a nice fall surprise with this option coming back.

There are other features that have come into messaging with more synchronization and sharing of data for everything from workouts to projects.

When we look at the data that has evolved from iOS, we can see some valuable forensic impacts.

Below are examples of what to expect with actual data in iOS 16.

Edited Message Examples

Message data on iOS 16 that was edited.

iOS 16 data edited but now displayed in iOS 15.

New metadata noting edits in iOS 16

Recalled Message Examples

Message sent from iOS 16. 

Message recalled from iOS 16 to iOS 15.

Message recalled and noted metadata iOS 16.

Deleted Message Examples

Message marked for deleted. 

Message highlighted as deleted in iOS 16, but is still displayed in iOS 15.

Some of the biggest impacts are the need to really check the meta data and ensure you are seeing all the changes that are noted in that data. It is also important to note that if data is shared with these features between older firmwares these features do not work. The deleted data will be displayed even if requested deleted in iOS 16 it will still show in iOS 15.

If you have not played around with these changes in iOS 16 with your forensic tool now is the time to test and check it out. Sign up for a trial of the E3 Forensic Platform here.

Forensic-Impact Articles

iOS 17 Forensic Impacts

iOS 17 Forensic Impacts

We are in the time of year when our pumpkin spice cravings start crawling to the surface and we see some big releases in the world of mobile firmware. It is a good time to validate and check your tools to see what data you gained and lost with the firmware change....

How Leadership Can Impact Cybersecurity

How Leadership Can Impact Cybersecurity

Written by: Riley Anne JohnsCybersecurity is a major priority nowadays for business leaders, as no organization is immune to cyber threats. For example, according to Forbes, cyberattackers made roughly $456.8 million in ransomware profits in 2022 alone, as most...

Different Android Flavors and Forensic Processing

Different Android Flavors and Forensic Processing

Android, developed by Google, is one of the most popular mobile operating systems worldwide, powering millions of devices. What you might not realize is that there are different tiers of Android OS that are available for millions of devices. We will explore the three...