The Headline: Apple Is AUTO-Deleting Texts from iPhones
Simply put, that’s what you MUST know, that Apple near-instantly auto-deletes text messages from iPhones (or whatever Apple device) on which a text message is sent or received that has Apple’s publicly released (Sept., 2022) IOS 16 Message sync feature enabled [See, https://apple.co/42ciccL].
The Implication: You CANNOT assume or expect that a forensic collection of a custodian’s Apple device (iPhone, iPad, Mac, etc.) has preserved a particular targeted text message, or even any text messages within a litigation or investigation-relevant date range. In other words, Having a vendor forensically collect the content from an Apple device (likely?) may not be sufficient to meet your ESI preservation duties and/or investigation needs.
Why This Is Happening: Apple has rolled out a new feature that syncs a user’s Messages (SMS, MMS, iMessage) across all of their Apple devices so that the user can near-seamlessly continue on with their work or communications from whatever Apple resource they are using.
To accomplish this, when the user enables the feature (for now, it is not enabled by default), Apple moves all of the messages from the local user device to the user’s iCloud account…and deletes them from the local device where they emanated. Once the initial set-up and local deletion process is complete, iOS syncs data across the user’s domain, executing the “move/delete” process. Anecdotal observations to-date place the frequency of move/deletion process as within seconds of send/receive. The user (or forensic vendor) is not given an indication of sync status (if Messages on the device have also been synced to iCloud) at any given point in time.
Protek is seeing this feature being commonly enabled by users in the Apple collections that we have conducted in since Apple added this feature. Also, anecdotally, it appears that most vendors are not yet aware of this development.
How Do You Avoid Getting Burned by This: The generally foolproof way is going to be collecting content of the local device, any iCloud backups of the device, and the iCloud sync. In addition, there are somewhat complex steps that should (and shouldn’t) be taken by user and forensic vendor at the onset of the preservation/collection process to limit the exposure to spoliation issues. Protek will be detailing and sharing these in a white paper to follow.
What Next: As referenced, Protek will shortly be releasing a white paper with further detail that can be shared with your favorite vendor to assist you in navigating this issue.
If you would like to make sure to receive the white paper and future EDGE Alerts, please feel free to send a note with the subject line “Send EDGE Alerts” to firstname.lastname@example.org.
And, please don’t hesitate to buzz us with whatever “e” issues might be confounding you, we’re happy to share our thoughts and it’s a great way for us to keep on top of the latest challenges.