Disclaimer: tested in iOS 16 and 17.
Before we begin... I want to wish you a wonderful year 2024! I also want to express my gratitude for the numerous positive feedback received after my latest article on phone calls. You can find it here in case you missed it.
I recently wrote an article about investigating iOS Unified Logs specific to WhatsApp (which you can find here), and following that, the question about the use of the dictaphone came up multiple times. And this question is very relevant!
Indeed, by only examining the messages within WhatsApp, it's impossible to determine whether the dictaphone was used or not. Depending on the digital investigation you're dealing with, it could be crucial to have a way to confirm or deny the use of this option.
I have great news for you! Once again, thanks to the investigation of unified logs, it's entirely possible to demonstrate it!
iOS Unified Logs - Dictating a message
Once in the WhatsApp application (for example) and especially in the chosen conversation, the user has the option to click on the microphone icon at the bottom left of the keyboard. Before doing so, they are required to open the keyboard (which is not the case, for instance, when recording a voice message). The act of making the keyboard visible (or not) generates the following log:
mediaserverd: Updated keyboard state: Visible
mediaserverd: Updated keyboard state: Hidden
The two logs probably don't need to be explained in great detail as they seem quite clear. It's also important to note that they are generated every time the keyboard appears/disappears from the user's screen, not only when they are in the WhatsApp application. Keeping an eye on these logs during your investigations can be interesting and, more importantly, crucial depending on the version of events communicated to you.
WhatsApp: UIDictationConnection startDictationWithLanguageCode fr-CH monolingual YES
assistantd: Prepare Audio Provider with Context : recordType[CSAudioRecordTypeDictation] deviceId[(null)] turnIdentifier[C2DE06FE-B27B-400E-9EF2-28024CE6453C] alwaysUseBuiltInMic isRequestDuringActiveCall triggerEventInfo[(null)] spokenNotification  isTriggerless  speechEvent 
WhatsApp: <_UIKBFeedbackGenerator: 0x2819d5a00>: Dictation did begin.
WhatsApp: <_UIKBFeedbackGenerator: 0x2819d5a00>: Dictation did end.
Thanks to this first log, we can determine that the user pressed the microphone to dictate a message. The continuation of the message allows us to know the language of the keyboard at the time of using the microphone (French - Switzerland in this case). Finally, the precision "Monolingual YES" may not be necessarily relevant as I have never managed to obtain the "NO" mention during my research (despite numerous tests) and therefore do not know its exact utility.
The second log, also important and recorded by the "assistantd" process, confirms this by mentioning "AudioRecordTypeDictation" before the two logs from the WhatsApp process are recorded. It also specifies the "SpeechEvent 4," which is interesting. The use of Siri, for example, corresponds to SpeechEvent 1. Therefore, it is noteworthy that several unified logs can be investigated to highlight the start of voice dictation.
The excellent news is that the above logs are also recorded when the microphone is used in other applications. Of course, the process recording the use of this option will be different from the WhatsApp case since it is specific to the application used (which is really great), so here are some examples:
Telegram: UIDictationConnection startDictationWithLanguageCode fr-CH monolingual YES
Telegram: <_UIKBFeedbackGenerator: 0x2839bc400>: Dictation did begin.
Telegram: <_UIKBFeedbackGenerator: 0x2839bc400>: Dictation did end.
Preferences: UIDictationConnection startDictationWithLanguageCode fr-CH monolingual YES
Preferences: <_UIKBFeedbackGenerator: 0x2839d7d00>: Dictation did begin.
Preferences: <_UIKBFeedbackGenerator: 0x2839d7d00>: Dictation did end.
These few iOS unified logs will allow investigators to easily and quickly identify whether a message was sent using the microphone option or not. The unified log recorded by the assistantd process has intentionally been omitted in the examples above to avoid overloading these tables.
In general, it is extremely important to keep in mind that the process specific to each application seems to record the use of the microphone! This could prove to be crucial in your investigations.
Finally, I would like to conclude this brief article by sharing a few examples of keyboard logs. These will be recorded when the user presses the microphone key on the keyboard.
Unified Logs - Keyboard Language
UIDictationConnection startDictationWithLanguageCode el-GR monolingual YES
UIDictationConnection startDictationWithLanguageCode fr-BE monolingual YES
French - Belgium
UIDictationConnection startDictationWithLanguageCode en-ZA monolingual YES
English - South Africa
UIDictationConnection startDictationWithLanguageCode hr-HR monolingual YES
Analyzing the content of a message sent in a messaging application may not be sufficient in certain investigations. Sometimes, it may be necessary to know how the message was generated. In other words, being able to determine whether a user sent a message by typing it on their phone's keyboard or dictating it using voice commands can be crucial in some investigations.
This article once again highlights the usefulness of analyzing unified logs from iOS phones, as these actions are distinctly different. Unified logs mentioning the actions "Dictation did begin" and "Dictation did end" will obviously not be recorded when the user types a message using the phone's keyboard.
Enjoy your Digital Investigations !