With the release of iOS 16, there have been a lot of people talking about Apple's decision to allow for iMessage users to either unsend or edit a message. There are a lot of potential nefarious uses for this data, but what does all of this mean for forensics?
This post won't be breaking down a lot of the standard database storage for unsent and edited messages as I have already covered that over on the Magnet Forensics (my day job) blog which can be found here. I'll give you some TL;DR information about the features below as well:
- Unsending and Editing messages are time locked.
- Unsending a message must be done within 2 minutes from its sent date.
- Editing a message must be done within 15 minutes from its sent date.
- You can only unsend or edit a message you send.
- It's only for iMessages (sorry Android users)
- Both unsent and edited messages blank out the text column of the messages table in the sms.db.
- Both unsent and edited messages have a unique timestamp to show when they were modified.
- Edited messages keep a "version history" with each edit having its own timestamp.
- Notification Events
What about edited messages? Edited messages can be tracked within the same categories as the above. The content of the message in the database is still blanked and the data stored within the attributedBody or message_summary_info columns depending on how many edits you're trying to track. Each individual edit becomes a separate message as far as the Application Intents or Notification Events are tracked so expect to find each individual edited message in either of these two sections. Since the messages are not flagged to be deleted, the edited messages will still be tracked within the KnowledgeC.db unlike the unsent messages.