Forensic Question:
A classmate of mine contacted me and posed a question, “Where in an iPhone extraction is the Display Auto-Lock setting stored?” Thanks, Tyler Wuestenhagen, for posing the question and getting me thinking.
I did a little research, like reviewing the SANS FOR585 poster and class notes, but could not find the easy answer. I reached out to some other examiners, and they too were a bit puzzled about where those settings might be saved or which property list (plist) they might be stored in.
Tyler was able to narrow down the search when he discovered the PublicEffectiveUserSettings.plist. This plist can be found at the following location on iPhone extractions: \private\var\mobile\Library\UserConfigurationProfiles\PublicInfo\
After learning about the plist, I started working on testing and validating the data stored in the plist.
Testing Device:
- iPhone 6s Plus (iPhone8,2 (A1687))
- iPhone 12 Pro (iPhone13,3 (A2341))
OS Versions:
- iOS: 12.4.8
- iOS: 13.5.1
- iOS: 14.4.2 (18D70)
- iOS: 15.0 (19A346)
- iOS: 15.0.2 (19A404)
- iOS 16.0 (20A5303i)
The PublicEffectiveUserSettings.plist was found in each of the data extractions listed:
- Cellebrite Advance Logical Extraction – UFED 4PC
- Cellebrite Advance Logical Full File System – device jailbroken with Checkm8 – UFED 4PC
- ArtEx ArtExtraction – Full Extraction – device jailbroken with Checkm8
- ArtEx ArtExtraction – Live Connection – device jailbroken with Checkm8
- Consent Full File System Extraction
Tools:
- Cellebrite UFED 4PC 7.47.0.247
- Cellebrite Physical Analyzer 7.47.0.58 & 7.48.0.49
- Magnet AXIOM 5.4.0.26185
- ArtEx 1.6.0.0 & 2.0.0.4
- Mushy 2.0.0.6
Based on testing, I have determined there are several device settings stored within the PublicEffectiveUserSettings.plist, but I will only be discussing two of those settings: the Display Auto-Lock setting and the Required Passcode setting.
Display & Brightness Auto-Lock Setting:
In the Display & Brightness setting there is a setting titled Auto-Lock as seen in Figure 2.
During testing, the Display Auto-Lock options were 30 Seconds, 1 Minute, 2 Minutes, 3 Minutes, 4 Minutes, 5 Minutes and Never:
These Display Auto-Lock settings are stored in the PublicEffectiveUserSettings.plist in seconds. For example: if the Display Auto-Lock setting is set to auto-lock after 2 minutes as seen in Figure 3, the value key integer will be “120” meaning 120 seconds or 2 minutes.
To find this value key integer within the PublicEffectiveUserSettings.plist you will need to find the restrictedValue key, then the maxInactivity key. Once you have located these keys you will notice an integer that represents the setting value in seconds, as seen in Figure 4.
Apple Developer website, https://developer.apple.com/documentation/devicemanagement/passcode, defines maxInactivity as “the maximum number of minutes for which the device can be idle, without being unlocked by the user, before it gets locked by the system. When this limit is reached, the device is locked and the passcode must be entered. The user can edit this setting, but the value cannot exceed the maxInactivity value.”
You will also notice a key for rangeMinimum. This key integer is the value in seconds for the minimum setting. Notice in Figure 3, the minimum setting is 30 seconds.
Note: There are several ways to view property lists, that include on an Apple computer, within forensic tools and third party plist viewing tools. In this instance, I used Ian Whiffin’s “Mushy PLIST Viewer,” which can be downloaded at the following link along with his other FREE tools: https://www.doubleblak.com/software.php
Touch ID & Passcode Require Passcode Setting:
In the Touch ID & Passcode settings there is a setting titled Require Passcode as seen in Figure 5.
During testing, the Require Passcode options were Immediately, After 1 minute, After 5 minutes, After 15 minutes, After 1 hour and After 4 hours:
Similarly with the Display Auto-Lock settings, these settings are stored in the PublicEffectiveUserSettings.plist in seconds. For example: if Require Passcode setting is set to be required after 5 minutes as depicted in Figure 6, the value key integer will be “300” meaning 300 seconds or 5 minutes.
To find this value key integer within the PublicEffectiveUserSettings.plist you will need to find the restrictedValue key, then the maxGracePeriod key. Once you have located these keys, you will notice an integer that represents the setting value in seconds, as seen in Figure 7.
Apple Developer website, https://developer.apple.com/documentation/devicemanagement/passcode, defines maxGracePeriod as “the maximum grace period, in minutes, to unlock the phone without entering a passcode. The default is 0, which is no grace period and requires a passcode immediately.”
In Figure 7 you will notice additional keys are highlighted. The additional keys listed under the maxGracePeriod key, are rangeMaximum and rangeMinimum. These keys indicate the maximum setting and minimum setting within the setting menu as seen in Figure 6.
During testing, I made changes to the device settings six times. Below are the device settings followed by the values listed in the PublicEffectiveUserSettings.plist.
Test One
- No passcode
- Display Auto-Lock = 2 minutes
- Require Passcode = not set
- maxInactivity value = 120
- maxGracePeriod value = 0
Test Two
- 6-digit passcode
- Display Auto-Lock = 30 seconds
- Require Passcode = immediately
- maxInactivity value = 30
- maxGracePeriod value = 0
Test Three
- 6-digit passcode
- Display Auto-Lock = never
- Require Passcode = 1 minute
- maxInactivity value = 2147483647
- maxGracePeriod value = 60
Take note, in test three, the Screen Auto-Lock setting was set to never and the maxInactivity value is “2147483647.”
Test Four
- 6-digit passcode
- Display Auto-Lock = 1 minute
- Require Passcode = 5 minute
- maxInactivity value = 60
- maxGracePeriod value = 300
Test Five
- 6-digit passcode
- Display Auto-Lock = 3 minutes
- Require Passcode = 4 hours
- maxInactivity value = 180
- maxGracePeriod value = 14400
Test Six
- No passcode
- Display Auto-Lock = 2 minutes
- Require Passcode = 5 minutes
- maxInactivity value = 120
- maxGracePeriod value = 300
After testing, I removed the passcode from the test device. When I checked the settings for Require Passcode, it was grayed out, but was still set on the last setting, which was after 5 minutes as seen in Figure 8.
After noticing this, I conducted another extraction and discovered the plist maxGracePeriod value was still set at 300 seconds. I tested to determine if this setting was still active even though the device did not have a passcode. I changed the Display Auto-Lock setting to never, turned the screen on and set the device on my desk. After 5 minutes, the display did not auto-lock and the device did not require a passcode, thus even though this setting was still set in the plist, it was not active and did not make any changes to the device status.
iOS 15.0 Update:
Based on limited testing, it appears the information related to Display Auto-Lock is the same in iOS 15.0 as it was in 14. Figure 9 depicts the Display Auto-Lock was set to Never (maxInactivity > value = 2147483647) as seen in the PublicEffectiveUserSettings.plist. Another test was conducted, where I changed the setting from never to 4 minutes and the maxInactivity > value = 240.
The Require Passcode setting is different!?!?
The Require Passcode setting only has one option which was…
IMMEDIATELY
The only way to change the setting was to remove Touch ID or Face ID. I noticed the rangeMaximum is 14400 or 4 hours, but as you can see in Figure 10, that is not an option that I can select at that time.
When using Touch ID or Face ID the only option for “Require Passcode” is immediately.
Consideration:
I did not test every possibility using these settings. You should also consider additional factors might affect these settings prior to the data acquisition. An example of this could be a first responder/different examiner making changes to these settings when the device is seized or when the data is acquired but failed to document these changes. Some forensic tools recommend making changes to these settings prior to data acquisition.
Conclusion:
I would like to say thanks to everyone who assisted with validation of this writeup. I hope this information will help you with future analysis.
Update 10/30/2021:
I have an iPhone 6s Plus (iPhone8,2 (A1687)) test device which has iOS 15.0.2 (19A404) installed. I know the passcode for the device and was able to get a Full File System acquisition. Using the full file system data, I was able to confirm that information listed in this blog also applies to iOS 15.
Update 7/4/2022:
I have an iPhone 12 Pro (iPhone13,3 (A2341)) test device which has iOS 16.0 (20A5303i) installed. I was able to get a backup acquisition and confirm that information listed in this blog also applies to iOS 16.
Update 9/7/2022:
I prepared a short virtual presentation about this research for DFRWS 2022 USA.
The Forensic Scooter 