What you don’t know can’t hurt you.
Apple Continuity, iCloud Sync, and Digital Forensics
Apple Continuity; introduced in 2014 with iOS 8.0, this nifty feature allows seamless sharing of data between various Apple devices connected to a common iCloud account. iCloud Sync has been around significantly longer, and allows data to be synced across your devices by pushing data from one device to iCloud, and then back to all your other iOS devices. If you use Apple devices you’ll find that these features make it feel as if there’s a good bit of magic involved. You can:
- Copy text from a document from one device and paste it into a email on a completely different device.
- Receive a phone call on your iPhone and answer it with your MacBook Pro or iWatch.
- Create an instantaneous hot spot to share your phone’s data service with your Mac.
- Send contact information, presentations, and documents to other iOS users instantly and without network setup.
- Take a picture or video with your iPad and share it effortlessly across all associated devices.
It’s really cool, really convenient, and it just works.
And like Johnny Appleseed, Apple sync methods spreads seeds of data everywhere. That is, after all, their job–but like all technological innovations, this technology can have a dark side. Within the last several of months here at Tetra Defense, formerly Gillware Digital Forensics, we’ve started to get some hands-on experience with some unintended negative consequences of syncing through iCloud.
What Could Possibly Go Wrong?
We’ve had a number of requests for examinations of iOS devices with seemingly mysterious properties. Problems generally arise when users aren’t aware of the existence of Apple’s syncing mechanisms or when they’re implemented incorrectly. Some continuity features are active by default, and as a result, an iOS update from iOS 7 to iOS 8 can result in surprise-syncing of data to a device.
The potential unintended consequences? Data leakage, unintentional sharing of personal communications, and unwanted files dropped into the devices of unsuspecting users.
Apple Continuity was central to a recent mobile forensics case here at Tetra Defense.
When employees complained that their work mobile devices were suddenly and unexpectedly populated with pornographic images, a client submitted a bunch of iPads and iPhones to Tetra for examination. All of the devices shared a connection to the same county-managed iCloud account.
As it turned out, one employee had, with the county’s iPhone, taken some personal pictures. Very personal pictures. They’d been synced to the iCloud account, and through the magic of iCloud syncing, the images populated to other devices connected to the common iCloud account as well. Careful mobile forensic examinations, testing, and research allowed us to identify the source of the images and solve the mystery.
And yes, someone lost their job over this.
Nathan Little (one of the partners at Tetra) and I have observed similar magic happen with other types of data through Apple Continuity. This includes music files, iMessages, and SMS messages, and it could happen with other types of data too. The purpose of continuity is to keep data on devices associated with a particular iCloud account synced and up to date, keeping data conveniently and seamlessly accessible across devices. Mistakes in setting up continuity on any of the individual devices can lead to unintended data syncs and unexpected device behaviors.
The takeaway? Forensic examiners should consider Apple Continuity and other syncing mechanisms in every Mac and iOS based forensic examination.
A Lack of Resources
Apple Continuity, the newer Apple sync mechanism, has the potential to present some larger investigative and forensics questions. With other Apple syncing mechanisms, metadata, file, and path names give us clues of data syncing. Continuity clues are more subtle. None of the commercially available mobile forensic tools feature the ability to untangle continuity artifacts yet. Worse, there is very little information or training regarding these artifacts.
SANS Institute instructors Heather Mahalik, Sarah Edwards gave an interesting presentation on continuity artifacts at the SANS DF/IR Summit this summer in Austin. Apple Continuity is covered in the SANS FOR 585 Advanced Smartphone Forensics and FOR 518 Mac Forensics courses. Other than that, though, there isn’t much easily accessible information out there for forensic examiners.
As a forensic examiner, if you’re not a Mac or iPhone user and are unfamiliar with the magical possibilities of Apple Continuity, this is problematic. In one case, 2 different examiners looked at the data before the Tetra forensics team figured out that continuity was the source of mysterious data automatically populated to a iOS device.
Apple Continuity Raises the Stakes
Apple Continuity is no poison apple, but forensic investigators should consider it carefully.
In digital forensics, what we don’t know can hurt us. Worse, it can potentially have unintended harmful consequences for innocent people. Imagine if the case described earlier had involved images of child pornography? Apple Continuity and sync artifacts can potentially make it more difficult to determine who was behind the keyboard. Not to mention what particular keyboard was involved.
Could Apple Continuity and other sync artifacts potentially mimic “hacking” behavior, allowing unintended access to personal communications? Potentially, yes. Especially if we’re unaware of their existence and behaviors, and don’t look for them.
If someone mysteriously ends up with someone else’s data, the conclusion that the access was intentional and nefarious is easy to leap to. The goal of digital forensics should be to discover the truth about what happened using the digital artifacts available. We have to learn about technologies such as Apple Continuity and iCloud sync understand how to reveal the truth behind the “magic”.
No Black Magic in Apple Continuity
Despite all appearances, there is no black magic in Apple Continuity.
True to Locard’s Exchange Principle, data exchanges involving Apple Continuity leave traces. However, these are traces that forensic examiners have to dig for in order to find. Continuity artifacts may exist in the Mac, in the iPhone, in the iPod, and in the associated common iCloud account. Simply producing a canned report from a mobile forensics tool won’t reveal them or explain their relevance.
A look at how iCloud displays multiple devices synced to the same account.
From a digital forensic examiner’s perspective, Apple Continuity and other sync mechanisms can mean that we have more potential data sources than what meets the eye. When multiple devices sync to a common iCloud account, the data we’re seeking might exist on other devices and in the iCloud account as well. This is good news! If you can’t crack into that locked iPhone, maybe evidence of browsing activities, pictures, texts or calls resides on the Mac or iPad.
But forensic examiners must tread carefully around their assumptions about where data came from when multiple devices sync up to the same iCloud account.
Many times, users don’t understand how their iCloud account interacts with the devices synced to it. They also lack awareness of other devices synced to the same account. People tend to create and use iCloud accounts at device setup and then forget about them. Also forgotten is the fact that the account acts as the bridge for syncing data across devices. It’s a good idea to log into your iCloud account occasionally to see the devices associated there, and remove any old devices that are no longer in active use.
Turning off Continuity Features
If you’d like to turn off Apple Continuity because you feel the convenience just doesn’t outweigh the risks, a fairly simple set of instructions can be found and are shown below for your convenience:
To Disable Handoff:
- On Mac, choose the Apple menu. Next, choose System Preferences, then click General. Deselect “Allow Handoff between this Mac and your iCloud devices.”
- For iPhone, iPad, or iPod touch, go to Settings > General > Handoff, then turn off Handoff.
- On Apple Watch, open the Apple Watch app on your iPhone, then tap General and turn off Enable Handoff.
To Disable Synced Calls:
- On iPhone, go to Settings > Phone > Calls on Other Devices, then turn off Allow Calls on Other Devices.
- For iPad or iPod touch, go to Settings > FaceTime, then turn off Calls from iPhone.
- On Mac, open the FaceTime app, then choose FaceTime > Preferences. Click Settings, then deselect Calls From iPhone.
To Disable Synced Messages:
- On iPhone, go to Settings > Messages > Text Message Forwarding, then switch off text message forwarding for all (or whichever) device you desire.
Brave New World
In the realm of computer and mobile forensics, each new innovation in storing and sharing data brings us into a brave new world. Whenever the world of computers and mobile devices changes, so too must we change. We must now account for complications and other twists and turns in forensic investigations that can arise due to data-syncing features like Apple Continuity.