Apple always likes to change things up and it’s impossible to see everything that has changed right away, even with all the amazing DFIR researchers out there. Sometimes it takes a customer to email with a question on how the tool is behaving. This is why I decided to write this blog. I want to thank that customer and anyone reading this for validating! This is key to our craft in DFIR. I also want to thank Ian Whiffin for hearing me out and sharing screenshots from test devices.
Testing and Validation:
iPhone 15 Pro running 17.4.1 – Message Retention is set to Forever and was previously set to Forever in iOS 16.
It’s a known fact that I work at Cellebrite with a group of brilliant examiners. Part of our job is helping customers make sense of data. A question came in about message retention and why PA 10 was reporting one thing and the phone showed another. Same day, different question, new bug? Or new method of tracking settings on the device? For this matter, it was a bit of everything. Apple changed the way message retention is tracked in com.apple.MobileSMS.plist.
This plist can be located here: /private/var/mobile/Library/Preferences/com.apple.MobileSMS.plist.
This plist can be located here: /private/var/mobile/Library/Preferences/com.apple.MobileSMS.plist.
The good news is that this file is accessible with an encrypted iTunes backup, advanced logical, and full file system extractions. I didn’t bother testing unencrypted backups because so much data is missed.
ALWAYS encrypt the backup.
ALWAYS encrypt the backup.
For as long as I can remember, we have been reading the values from the com.apple.MobileSMS.plist under KeepMessageForDays. The values may be:
KeepMessageForDays = 0 = Forever
KeepMessageForDays = 365 = 1 Year
KeepMessageForDays = 30 = 30 Days
**Note – for iOS 13 and earlier if KeepMessageForDays is missing from the plist, the message retention was set to Forever on that device. According to Ian Whiffin, if the default message retention of Forever is never changed (regardless of iOS version), the KeepMessageForDays may also be missing from the plist. We plan to validate this further as we will soon have access to devices where that setting has never been modified and will also look for the new values.
So just when we are comfy with the values in this plist, iOS 17 came along and changed how the values are stored. While the KeepMessageForDays may exist in the com.apple.MobileSMS.plist, it is no longer in use by Apple for tracking message retention in devices that are running iOS 17. The values here seem to reflect old settings of message retention, and not what the device settings currently reflect. Don’t you love when old remnants are left behind that cause confusion?
So just when we are comfy with the values in this plist, iOS 17 came along and changed how the values are stored. While the KeepMessageForDays may exist in the com.apple.MobileSMS.plist, it is no longer in use by Apple for tracking message retention in devices that are running iOS 17. The values here seem to reflect old settings of message retention, and not what the device settings currently reflect. Don’t you love when old remnants are left behind that cause confusion?
For iOS 17, we need to rely upon the value stored under SSKeepMessages. The values will be the same as before.
SSKeepMessages = 0 = Forever
SSKeepMessages = 365 = 1 Year
SSKeepMessages = 30 = 30 Days
Testing and Validation:
Ian provided me with 4 examples from test devices and I used 3 of my own test devices and my personal phone. Here are some examples you may come across that I think makes the point of the blog.
iPhone 15 Pro running 17.4.1 – Message Retention is set to Forever and was previously set to Forever in iOS 16.
