When you process an iOS device there are multiple locations that will provide you the data you are looking for. It is important to understand where you can see the differences in those data sources. Depending on your process checklist you might choose a different data source as a primary to compare with the other available iOS data sources. In this walk through we will compare the differences between an iOS backup and an iCloud backup.
iOS backups can be made through either a backup from either your tool or iTunes or the use of an encrypted backup from your tool or iTunes. If the iTunes method is used it would then be imported through your tool.
Once the data is imported into your forensic tool you will want to go to the device information. In this information, the data for the Last Backup Date should be displayed. This is the last backup date that was done with the device and the primary machine.
If you are using the E3 Forensic Platform you can use the Mobile Evidence Comparer to see data that has changed between backups of a device. This method is quick and easy and shows exact changes that have occurred.
When you are dealing with an iCloud backup you will need to import that data into your tool first and then review the data. When you look at the iCloud backup pay attention to the name of the folder with the backup data. It contains the date and time the backup was made.
You can then easily bring the iCloud data in for a case compare to show what changed from one date to another. It is important to note that you cannot get all of the keychain data, and tokens with an iCloud backup image. You still must do an encrypted backup with a known password to get that data.
Differences in iCloud Backups
It is important to understand the difference between a full iCloud backup versus a standard iCloud backup.
Example 1.
A standard iCloud account only comes with 5 GB of storage. This will only allow end-users to backup specific items to their iCloud account (up to 5GB of data), based upon the size of the device. Their backup will only include these items.
Example 2.
If the ender user chooses to purchase additional storage in iCloud, this will allow the end-user to do a full backup directly to iCloud of all data (depending on storage purchased). In the example below additional storage was purchased and the end-user archived a full backup from iTunes. This is what would compare the most directly with the iOS backup done by your forensic tools.
Why compare your cases?
This is a valuable step if your case is taking a while to be completed and changes in your tools have happened. You can reprocess and review the data against your original to see what new capabilities might have happened with your forensic tool. This compare function can also be used to compare a case that has been processed by another party and comes back to you as the primary examiner. It can show details of what might have been changed through the other parties’ processing. An example below can be seen where an address entry change occurred between one party and the other parties’ examinations.
These results can have separate reports generated that focus on these changes. The case compare functionality can be valuable in your validation of your forensic tool and the work of the other side of the case. For more details on this sign up for our eBook on writing a validation plan here.
Forensic-Impact Articles
Making an Investigations Sock Puppet
Transcript Hello and welcome to the next edition of, the Forensic Impact blog. I'm Amber Schroader. I have been off the video blog for a hot minute because I have broken my ankle, as you can see by my scooter. This is the best background I can get going right now. So,...
Empowering Small Businesses: The Significance of Data Governance
Guest Blog Post In today's digitally driven world, data is the lifeblood of businesses, regardless of their size. Small businesses, in particular, stand to gain significantly from harnessing the power of data. This article from Paraben Corporation delves into the...
Strengthening Your Career In Digital Investigations
Transcript Hi there, and welcome to another installment of forensic impact. I'm Amber Schroader, and this week I am sharing with you information about strengthening your career in digital investigations. This was a topic conversation that I had with one of the blog...
