January 29, 2020 | By: Felix Fainshtein - Researcher in R&D, Cellebrite
Apple introduced the Screen Time feature with the release of iOS 12, towards the end of 2018. The feature empowers users with insight into how they are spending time with apps and websites, creating detailed daily and weekly “Activity Reports” that show the total time spent in each app, usage across categories of apps, number of notifications received, and how often one picks up their iPhone or iPad.
Like Google’s “Family Link,” Screen Time allows users to enforce various types of usage limitations on their device or on those devices linked through family sharing. As a parent, you can remotely limit the time your children spends on social media apps per day, define what apps they can purchase in the App Store, blacklist unsuitable websites, and much more. As intriguing as these possibilities are, the real forensic value lies within the data that is collected and stored by the Screen Time feature to enable its functionality. Let’s take a more in-depth look. As mentioned, the device must have iOS 12 or above. Once you’ve turned the feature on, press Settings > “Turn On Screen Time,” and select whether this is your device or your child’s. From this point on, Screen Time starts to monitor usage data. The main screen should look something like this (both top and bottom halves displayed side by side here), depending on how up-to-date your iOS is. Looking at the Settings from top down; we first see a histogram showing the total time spent using the device per day.
Upon selecting “See All Activity,” you are presented with a daily or weekly report, which provides an insightful drill-down into the specific apps used and their total usage time, as seen in the two screenshots on the left-hand side.
Going back to the main screen, there are five configurations you can choose to manage and limit usage, such as the Downtime hours or Content and Privacy restrictions. And finally, at the bottom, you can set up a 4-digit passcode, which will be required to make changes to the configurations.
You can toggle “Share Across Devices,” which will share your Screen Time report with other connected devices. If enabled on a connected device, such as that of your child or your spouse, you will see their device usage reports. Now that we have a general overview of the feature, let’s take a deeper look into the database that stores this data and see what insights can be derived.
A Look Into The Screen Time Database
The database, which stores the Screen Time data, is called “RMAdminStore-Local.sqlite.” This database can be located under the path: < root/mnt2/mobile/Library/Application Support/com.apple.remotemanagementd > when performing a full file system extraction.
By cross-referencing database tables, and through many trial-and-error attempts, we were able to combine the scattered pieces of information into single, focused models, starting with the user account model.
Being a per device/user feature, one would expect Screen Time to store some data on the user themselves. The ZCOREUSER table below holds that information.
This table not only holds information about the user registered in the extracted device, but it also shows all users who have been added as part of the family sharing. We can determine the user’s Apple ID and their name (as can be seen in the Settings). We can identify the age group – determined by the birth date entered in the settings – and we have an indication whether this user has remotely added additional users, which can be crucial to determining whether a suspect has additional phones. Combining data from the ZCOREORGANIZATIONSETTINGS and ZCOREDEVICE tables, we can also find the device’s name and the passcode for Screen Time – if selected – for each user.
Installed And Deleted Applications The database also stores information about the apps that are installed, including those that have been deleted from the device. This can be seen in ZINSTALLEDAPP.
The above data displays only apps – native or 3rd party – that are installed on the device. However, by using UFED Physical Analyzer’s ability to recover deleted records, we can identify the names of apps that were deleted from the device.
This information can be vital in an investigation.
Another unique feature of UFED Physical Analyzer is that in certain instances it can also provide details of the apps’ installation and deletion dates (if they were deleted), which aren’t trivially written in the table. This is true for apps that were installed/deleted after the activation of Screen Time, because for other apps, research has shown that these dates will simply register to be the moment of activation.
The applications listed above belong not only to the extracted device’s user, but also to the devices that were added to the family network. We can tell them apart with the ZUNIQUEIDENTIFIER column.
Application Usages The Screen Time reports we discussed earlier, showing a user’s overall app usage statistics couldn’t have been possible without some data-source monitoring. That data source lies in the three tables shown below – ZUSAGEBLOCK, ZUSAGECATEGORY, and ZUSAGETIMEDITEM.
Contrary to the reports you can see on the device itself, which only show the total daily usage of a certain app, the stored data can paint a much more detailed picture of the application usages. Screen Time registers all application usages relative to a certain fixed time stamp, and at some point, that timestamp changes (advances) and all usages from that point on will register relative to it.
So, while exact time stamps of these usages are unavailable, we can use the given data to narrow down the usage of an app to a time-window that is as narrow as one hour or as wide as five hours. This window depends on the usage pattern – when the phone is idle for a long time, the windows tend to be wider. For each window time-frame, we can see how long in total an app was being used. The results of this can be seen in the UFED Physical Analyzer’s Application Usage model under Analyzed Data > Applications:
If you look again at the ZUSAGETIMEITEM table (two figures above), you can see a column labeled “ZDOMAIN.” These are the actual domains (not full URLs) of websites the device has visited. Although the database can act finicky as to whether this information will be written, this can be quite valuable for an investigator and might complement data that wasn’t present in other web-history sources. You can find this data parsed into the Web History model under “Analyzed Data.”
As a final note, the database saves information not only about the extracted device, but also information from devices added through Apple’s Family Sharing option. Seeing all of the above information for other devices, such as a child’s or spouse’s, can prove to be very useful in cases of domestic violence or when a suspect’s device is unavailable. The mere capability of Screen Time to effectively deem some of the device’s core functions, like calling and texting, unusable, can attract and be abused by malicious users, as a means of control over a device owner. This is another angle that examiners may want to pursue during an investigation.
In the UFED Physical Analyzer 7.29 release, we focus on presenting the data of the extracted device only. Stay tuned for updates regarding data of connected devices, which will be embedded in upcoming releases!