Data Acquisition from iOS Devices

An iOS device recovered from a crime scene can be a rich source of evidence. Think about how personal a smartphone is to a user; nothing else digital comes close. We rarely leave our homes or even walk around outside them without our smartphones within arm's reach. It is literally a glimpse of the most personal aspects of a human, almost like a diary of our everyday activity. According to several news references, Oscar Pistorius' iPads were examined by a mobile expert and presented during the murder trial to show internet activity hours before the murder of his girlfriend. When an iOS device can provide access to a so-called smoking gun, the examiner must ensure that they know how to properly handle, acquire, and analyze the device.

There are different ways to acquire forensic data from an iOS device. Though each method will have its positives and negatives, the fundamental principle of any acquisition method is to obtain a bit-by-bit or physical copy of the original data, where possible. With newer iOS devices, this is almost impossible.

In this chapter, we will cover the different methods of acquisition for iOS devices, including the following:

• iOS device operating modes
• Password protection and potential bypasses
• Logical acquisition
• Filesystem acquisition
• Physical acquisition

While the ultimate goal in a forensic examination is to obtain the physical image, this is not possible for all iOS devices, so we need to understand the next best option when our primary goal is not possible or supported by our tools.