With the release of iOS 16, I did what I always do-get as many images as I can from my test phones and start ripping them apart to see what is and isn't there anymore. While quick images (iTunes-style backups) were pretty straightforward minus some enhancements to Messages and Safari (here if you're interested), filesystem images have been a bit different. Buckle up folks because this one is going to be a bit long. If you're looking for the TL;DR, scroll to the bottom to get a quick review of the good news/bad news. However, if you're curious in seeing how the new "biome" data structures are playing into things, keep reading.
Finding the Missing Knowledge
While working through the file system I wanted to check on some of our favorite pattern of life activity such as PowerLog and KnowledgeC data. While PowerLog is still mostly intact (and still a mess to parse through), I noticed that KnowledgeC was missing several of my favorite artifacts. If you're not familiar with KnowledgeC.db, where have you been?! Jokes aside, I recommend reading up on it from the talented mind of Sarah Edwards over on her blog Mac4n6. Sarah's work into KnowledgeC and her tool APOLLO has been amazing for helping to deal with KnowledgeC work and the basis for a lot of our understanding of pattern of life information over the past few years.
So what was missing? The easiest way I can show this is using a tool from my day job, Magnet AXIOM to show you a list of what was present from a device running iOS 15 to iOS 16. Now, take the number of recovered records with a grain of salt as the iOS 15 device was used for a longer period of time versus the iOS 16 one. What is key is taking note of the missing categories entirely.
Understanding Biome Data
Breaking Down the Biomes (Part 1-App.inFocus)
The maxAge value (2419200) appears to be seconds, and if it is converted to days, shows us 28 days which lines up with previous biome experiences.