IOS 10 is up and running but there is question mark hanging over Apple’s private browsing. I am sure Apple users are going to be thrilled to hear that Apple have made the private browsing feature in Safari less ‘private’ in IOS 10.
Up until now, computer forensics analysts have been able to recover ‘Suspend State’ from IOS devices within the private browser and normal browser. Suspend State is a ‘back-forward’ list within the handset web browser ‘Safari’. These are links to web pages recently visited within currently open tabs, allowing for the user to easily go backwards or forwards to a specific web page. Suspend State has previously been stored in a PList which means when you close a tab the web page entry would be removed from the PList. Storing the data in a PList means you cannot recover deleted or closed tabs. So users can be rest assured that when they close the web page, there’s no chance of retrieving it.
Unfortunately for Apple users, suspend state is now stored in a database which means recovering deleted records in now possible.
I carried out an experiment with an iPhone 5S running IOS 10.0.1. I populated the iPhone by opening new tabs within the Safari browser in private mode. Extracting the iPhone using XRY version 7.1, the web pages were present within the extraction. XRY also extracted the entries as ‘hidden’. Opening the new database ‘BrowserState.db’, is shows a column within the database which tracks if the web pages were opened in private mode.
The experiment continued and the web pages within private mode were closed and the phone was extracted again. Just like magic, the entries were no longer present within the database. So that means private browsing is secure right? Sorry unfortunately not!
XRY recovered those closed web pages. So whether you’re browsing the web in private mode or not, Safari web history can be recovered regardless using the latest forensics tools!
So what could Apple do to ensure that the data is more ‘private’? There is a setting called Pragma Secure Delete within the database which overwrites any deleted content with zeros. If Apple enabled this setting on the database, the deleted data would be irretrievable. So why didn’t Apple do this? Some say that it would make the Apple Safari browser slower. So I guess Apple chose user experience over user privacy. Which one would you prefer?
By Stacey Jury, IntaForensics, Digital Forensic Analyst:
Stacey is a competent and accomplished Digital Forensic Analyst specialising in Mobile Devices with applied experience in case management – performing logical and physical analysis on over 1750 mobile devices. Before that, Stacey obtained a First Class Honours BSc Degree in Computer Forensics at the University of South Wales. Alongside her degree, Stacey has completed the IntaForensics peer assessment on the procedural requirements of exhibit continuity and Forensic Imaging of digital media and has received expert witness training in Excellence in Written Evidence and Witness Familiarisation from Bond Solon. Stacey has experience in advanced data recovery via flash boxes and JTAG tools such as Volcano Box, Infinity Box, Advanced Turbo Flasher, BEST, GPGEMMC, Z3X and RIFF Box.