January 29, 2020 | By: Felix Fainshtein - Researcher in R&D, Cellebrite
Apple introduced the Screen Time feature with the release of iOS 12, towards the end of 2018. The feature empowers users with insight into how they are spending time with apps and websites, creating detailed daily and weekly “Activity Reports” that show the total time spent in each app, usage across categories of apps, number of notifications received, and how often one picks up their iPhone or iPad.
Like Google’s “Family Link,” Screen Time allows users to enforce various types of usage limitations on their device or on those devices linked through family sharing.
As a parent, you can remotely limit the time your children spends on social media apps per day, define what apps they can purchase in the App Store, blacklist unsuitable websites, and much more.
As intriguing as these possibilities are, the real forensic value lies within the data that is collected and stored by the Screen Time feature to enable its functionality. Let’s take a more in-depth look.
As mentioned, the device must have iOS 12 or above. Once you’ve turned the feature on, press Settings > “Turn On Screen Time,” and select whether this is your device or your child’s.
From this point on, Screen Time starts to monitor usage data. The main screen should look something like this (both top and bottom halves displayed side by side here), depending on how up-to-date your iOS is.
Looking at the Settings from top down; we first see a histogram showing the total time spent using the device per day.
Upon selecting “See All Activity,” you are presented with a daily or weekly report, which provides an insightful drill-down into the specific apps used and their total usage time, as seen in the two screenshots on the left-hand side.
Going back to the main screen, there are five configurations you can choose to manage and limit usage, such as the Downtime hours or Content and Privacy restrictions. And finally, at the bottom, you can set up a 4-digit passcode, which will be required to make changes to the configurations.
You can toggle “Share Across Devices,” which will share your Screen Time report with other connected devices. If enabled on a connected device, such as that of your child or your spouse, you will see their device usage reports.
Now that we have a general overview of the feature, let’s take a deeper look into the database that stores this data and see what insights can be derived.
A Look Into The Screen Time Database
The database, which stores the Screen Time data, is called “RMAdminStore-Local.sqlite.” This database can be located under the path: < root/mnt2/mobile/Library/Application Support/com.apple.remotemanagementd > when performing a full file system extraction.
By cross-referencing database tables, and through many trial-and-error attempts, we were able to combine the scattered pieces of information into single, focused models, starting with the user account model.
Being a per device/user feature, one would expect Screen Time to store some data on the user themselves. The ZCOREUSER table below holds that information.
This table not only holds information about the user registered in the extracted device, but it also shows all users who have been added as part of the family sharing. We can determine the user’s Apple ID and their name (as can be seen in the Settings). We can identify the age group – determined by the birth date entered in the settings – and we have an indication whether this user has remotely added additional users, which can be crucial to determining whether a suspect has additional phones. Combining data from the ZCOREORGANIZATIONSETTINGS and ZCOREDEVICE tables, we can also find the device’s name and the passcode for Screen Time – if selected – for each user.
Installed And Deleted Applications
The database also stores information about the apps that are installed, including those that have been deleted from the device. This can be seen in ZINSTALLEDAPP.
The above data displays only apps – native or 3rd party – that are installed on the device. However, by using UFED Physical Analyzer’s ability to recover deleted records, we can identify the names of apps that were deleted from the device.
This information can be vital in an investigation.
Another unique feature of UFED Physical Analyzer is that in certain instances it can also provide details of the apps’ installation and deletion dates (if they were deleted), which aren’t trivially written in the table. This is true for apps that were installed/deleted after the activation of Screen Time, because for other apps, research has shown that these dates will simply register to be the moment of activation.
The applications listed above belong not only to the extracted device’s user, but also to the devices that were added to the family network. We can tell them apart with the ZUNIQUEIDENTIFIER column.
Application Usages The Screen Time reports we discussed earlier, showing a user’s overall app usage statistics couldn’t have been possible without some data-source monitoring. That data source lies in the three tables shown below – ZUSAGEBLOCK, ZUSAGECATEGORY, and ZUSAGETIMEDITEM.
Contrary to the reports you can see on the device itself, which only show the total daily usage of a certain app, the stored data can paint a much more detailed picture of the application usages. Screen Time registers all application usages relative to a certain fixed time stamp, and at some point, that timestamp changes (advances) and all usages from that point on will register relative to it.
So, while exact time stamps of these usages are unavailable, we can use the given data to narrow down the usage of an app to a time-window that is as narrow as one hour or as wide as five hours. This window depends on the usage pattern – when the phone is idle for a long time, the windows tend to be wider. For each window time-frame, we can see how long in total an app was being used. The results of this can be seen in the UFED Physical Analyzer’s Application Usage model under Analyzed Data > Applications:
If you look again at the ZUSAGETIMEITEM table (two figures above), you can see a column labeled “ZDOMAIN.” These are the actual domains (not full URLs) of websites the device has visited. Although the database can act finicky as to whether this information will be written, this can be quite valuable for an investigator and might complement data that wasn’t present in other web-history sources. You can find this data parsed into the Web History model under “Analyzed Data.”
As a final note, the database saves information not only about the extracted device, but also information from devices added through Apple’s Family Sharing option. Seeing all of the above information for other devices, such as a child’s or spouse’s, can prove to be very useful in cases of domestic violence or when a suspect’s device is unavailable. The mere capability of Screen Time to effectively deem some of the device’s core functions, like calling and texting, unusable, can attract and be abused by malicious users, as a means of control over a device owner. This is another angle that examiners may want to pursue during an investigation.
In the UFED Physical Analyzer 7.29 release, we focus on presenting the data of the extracted device only. Stay tuned for updates regarding data of connected devices, which will be embedded in upcoming releases!
Apple사는 Screen Time의 특징에 대해 iOS 12가 릴리즈되며 소개했다.
Screen Time의 데이터 베이스를 살펴보면 이것은 RMAdminStore-Local.sqlite라는 데이터 베이스 형식으로 <root/mnt2/mobile/Library/Application Support/com.apple.remotemanagementd>의 하위에 저장되며 FFS추출을 진행하였을 때 나타난다.
이 데이터 베이스 안의 ZCOREUSER 테이블 하위 항목을 보면 기기당 사용자의 특징이 나와있다. 이 테이블은 추출된 기기의 사용자 뿐만 아니라 기기의 사용자와 family sharing을 하고 있는 모든 사용자들까지의 정보가 보여진다.
또한, 데이터 베이스에 애플리케이션이 설치됨에 대한 정보, 기기에서 삭제한 애플리케이션의 내용을 포함한 정보를 저장하고 있다.
이를 바탕으로 UFED Physical Analyzer의 능력으로 삭제된 기록들에 대해 복구가 가능하다.
또 PA는 특정한 경우에 앱의 설치 및 삭제 날짜(앱이 삭제되었을 경우)에 대한 세부 정보를 제공할 수 있다.
*번역본 링크 https://blog.naver.com/cellebrite/221875995397
[Apple 스크린 타임 도입]
-스크린 타임을 이용하여 각 사용자의 화면 시간, 장치 이름, 암호 찾기 가능
-설치된 앱에 대한 정보 저장_ 삭제된 앱 가능
-주어진 데이터를 사용하여 앱 사용량을 시간 단위 창로 확인 가능
-Apple의 가족 공유 옵션으로 추가된 기기의 정보 저장
*번역본 연결된 링크가 해당 기사의 내용과 다릅니다.
Apple의 새로운 iOS12가 탑재되며 스크린 타임 기능이 도입 되었고, 스크린 타임은 사용자의 활동 보고서를 만들어주기도 하며, 가족 공유를 통해 제한을 설정 하는 것도 가능하다. 스크린 타임 기능에 의해 만들어진 아티팩트는 법의학적 가치가 있으며, 해당 기능을 통해 저장되는 데이터베이스(RMAdminStore-Local)를 통해 사용자 및 공유로 추가된 사용자에 대한 정보를 추출 가능하다. 해당 유저가 원격으로 유저를 추가했는지에 따라 용의자의 전화기가 추가로 있는지 판별할 수도 있어 중요하다. 이 데이터베이스는 응용프로그램의 설치 와 삭제한 정보도 저장하여 UFED Physicla Analyzer를 통해 삭제된 것을 복구할 수 있어 조사에 도움을 줄 수 있다.