We are constantly fighting a tide of new firmware versions from smartphone manufacturers, and it is easy to get overwhelmed with the changes. Each of these firmware versions can dramatically change the results we receive in our acquisitions and with our investigations. Lately iOS 9 has been released, patched, and released; it is good to know where you stand with this firmware when it comes to your examination.
The big area of change for iOS is in the user data found in the Notes App. This App, although ignored by some, can be a wealth of information for an investigator. The Notes have now been improved to be able to include the following data: images, locations and links to the site. It is important to note this so you can make sure you look when you acquire this information and confirm that you are seeing all that is available in the App. Data structure that is recovered with DS 7.2 includes the following information:
Date Created ( ZCREATIONDATE )
Note ID ( ZIDENTIFIER )
Title ( ZTITLE1)
Text Preview ( ZSNIPPET )
URL ( ZURLSTRING )
Description ( ZTITLE )
Short Summary ( ZSUMMARY )
Note Date Modified ( ZMODIFICATIONDATE1 )
Attachment Date Modified ( ZMODIFICATIONDATE )
Attached File Name ( ZFILENAME )
Attachment Type ( ZTYPEUTI )
Attached File Size ( ZFILESIZE )
Attached File Duration ( ZDURATION )
It may not seem to be the most exciting information, but the Notes can be a dedicated resource to the users of the iOS devices and that equals good evidence for your examination.