Written by Amber Schroader
With each fall we see changes in the smartphone world with new firmware updates that bring extra spice to the pumpkin spice season. This year was not an exception with iOS 16 showing lots of new data that will add to our digital investigations.
iOS 16 held a lot of changes in general that were designed to make your Apple experience better. A full review of all the changes can be found here. Some of the larger forensic impacts of these updates are focused on messaging.

Now messages can have new “status” levels that can change how we see them in digital evidence. Here are some of those status changes.
Edit a Message
You can edit a message after the send has happened. This will be revolutionary for drunk texting but will change a lot of the intent of the message when it comes to it as digital evidence.
Mark as unread
You can’t believe what the status message says anymore if a message was read or not. You will stay in the limbo of wonder with the ability to change that status manually.
Recover recently deleted messages
This is a nice comeback from iOS 12 days when we all lost the ability to recover deleted messages in iOS. Now you can recover deleted messages for up to 30-days from the deletion time. Digital evidence just got a nice fall surprise with this option coming back.
There are other features that have come into messaging with more synchronization and sharing of data for everything from workouts to projects.
When we look at the data that has evolved from iOS, we can see some valuable forensic impacts.
Below are examples of what to expect with actual data in iOS 16.
Edited Message Examples

Message data on iOS 16 that was edited.

iOS 16 data edited but now displayed in iOS 15.

New metadata noting edits in iOS 16
Recalled Message Examples

Message sent from iOS 16.

Message recalled from iOS 16 to iOS 15.

Message recalled and noted metadata iOS 16.
Deleted Message Examples

Message marked for deleted.

Message highlighted as deleted in iOS 16, but is still displayed in iOS 15.

Some of the biggest impacts are the need to really check the meta data and ensure you are seeing all the changes that are noted in that data. It is also important to note that if data is shared with these features between older firmwares these features do not work. The deleted data will be displayed even if requested deleted in iOS 16 it will still show in iOS 15.
If you have not played around with these changes in iOS 16 with your forensic tool now is the time to test and check it out. Sign up for a trial of the E3 Forensic Platform here.
Forensic-Impact Articles
Small Businesses: Don’t Make These 7 Common Cybersecurity Mistakes
Guest Blog Post: Lance Cody-ValdezHackers are going after SMBs with a vengeance – 43 percent of all cyberattacks are directed toward these smaller companies, according to a Hacked report. SMBs make for “soft” targets, as many don’t have basic cybersecurity safeguards...
Why is Triage a good step in Digital Forensics?
Many people discount the value of triage. Investigators try to obtain all the data at once, which can be costly and unproductive. With the data gap gone between mobile and computer-related data, you can analyze terabytes now without breaking a sweat. Triage and...
Investigating Current and Future Vulnerabilities of Electric Vehicle Charging Networks
Blog by: Cameron Cisneros, Zachary Wilson, Karla Soler and Ian Yates Research by: Felix Murray, Cameron Cisneros, Zachary Wilson, Karla Soler, Ian Yates, Unny Menon, Richard D’souza Sponsored by: When we began our research into vulnerabilities of electrical vehicle...