Information Technology Reference
In-Depth Information
Summary
The first step in the iPhone forensic examination is to acquire the data from the device.
There are different ways to acquire data from an iPhone. This chapter covered physical ac-
quisition techniques and techniques to bypass passcodes and data encryptions using open
source methods. Physical acquisition is preferred as it recovers more data from the device;
however, it is not possible to perform physical acquisition on all iOS devices. The follow-
ing table summarizes the physical acquisition possibilities on iOS devices:
Model
Physical acquisition
iPhone 3G, 3GS, 4
iPad 1
Yes (if no/easy passcode)
iPod touch 2G, 3G, 4G
iPhone 4S, 5
iPad 2, 3, 4 and iPad mini
Only if jailbroken, and until iOS 6.1.2 (if no/easy passcode)
iPod touch 5G
iPhone 5S and 5C
No
While physical acquisition is the best method for forensically obtaining the majority of the
data from iOS devices, logical or backup files may exist or be the only method to extract
data from the device. The next chapter discusses iOS device backup files in detail to in-
clude user, forensic, encrypted, and iCloud backup files and the methods to conduct your
forensic examination.
Search WWH ::




Custom Search