Data Acquisition from iOS Devices
An iOS device that's been recovered from a crime scene can be a rich source of evidence. Think about how personal a smartphone is to a user; nothing else that's digital comes close. We rarely leave our homes or even walk around outside them without our smartphones within arm's reach. It's literally a glimpse into the most personal aspects of a human, almost like a diary of our everyday activity. According to several news references, Oscar Pistorius' iPads were examined by a mobile expert and presented during his trial to show his internet activity hours before the death of his girlfriend. When an iOS device can provide access to a so-called smoking gun, you, as the examiner, must ensure that you know how to properly handle, acquire, and analyze the device.
There are different ways to acquire forensic data from an iOS device. Though each method will have its pluses and minuses, the fundamental principle of any acquisition method is to obtain as much data as possible.
In this chapter, we will cover the following topics:
- iOS device operating modes
- Password protection and potential bypasses
- Logical acquisition
- Filesystem acquisition