iOS Backup vs iCloud How can you compare?

Written by Amber Schroader

June 29, 2021

When you process an iOS device there are multiple locations that will provide you the data you are looking for. It is important to understand where you can see the differences in those data sources. Depending on your process checklist you might choose a different data source as a primary to compare with the other available iOS data sources. In this walk through we will compare the differences between an iOS backup and an iCloud backup.

iOS backups can be made through either a backup from either your tool or iTunes or the use of an encrypted backup from your tool or iTunes. If the iTunes method is used it would then be imported through your tool.

Once the data is imported into your forensic tool you will want to go to the device information. In this information, the data for the Last Backup Date should be displayed. This is the last backup date that was done with the device and the primary machine.

If you are using the E3 Forensic Platform you can use the Mobile Evidence Comparer to see data that has changed between backups of a device. This method is quick and easy and shows exact changes that have occurred.

When you are dealing with an iCloud backup you will need to import that data into your tool first and then review the data. When you look at the iCloud backup pay attention to the name of the folder with the backup data. It contains the date and time the backup was made.

You can then easily bring the iCloud data in for a case compare to show what changed from one date to another. It is important to note that you cannot get all of the keychain data, and tokens with an iCloud backup image. You still must do an encrypted backup with a known password to get that data.

Differences in iCloud Backups

It is important to understand the difference between a full iCloud backup versus a standard iCloud backup.

Example 1.

A standard iCloud account only comes with 5 GB of storage. This will only allow end-users to backup specific items to their iCloud account (up to 5GB of data), based upon the size of the device. Their backup will only include these items.

Example 2.

If the ender user chooses to purchase additional storage in iCloud, this will allow the end-user to do a full backup directly to iCloud of all data (depending on storage purchased).  In the example below additional storage was purchased and the end-user archived a full backup from iTunes. This is what would compare the most directly with the iOS backup done by your forensic tools.

Why compare your cases?

This is a valuable step if your case is taking a while to be completed and changes in your tools have happened. You can reprocess and review the data against your original to see what new capabilities might have happened with your forensic tool. This compare function can also be used to compare a case that has been processed by another party and comes back to you as the primary examiner. It can show details of what might have been changed through the other parties’ processing. An example below can be seen where an address entry change occurred between one party and the other parties’ examinations.

These results can have separate reports generated that focus on these changes. The case compare functionality can be valuable in your validation of your forensic tool and the work of the other side of the case. For more details on this sign up for our eBook on writing a validation plan here

smartphone forensic training

Forensic-Impact Articles

What Parents Need to Know About Roblox

What Parents Need to Know About Roblox

Shared from a post written by Nicole Gray of Infinity Investigative SolutionsIt’s the number one online entertainment platform for youth under the age of 13, and number two for teens 13-17 so chances are your child and their friends are already on it.  Roblox is an...

The GDPR & The CCPA a Quick Look with a Forensic Twist

The GDPR & The CCPA a Quick Look with a Forensic Twist

With the recent passages of these two key pieces of legislation, many people use the terms of the CCPA and the GDPR together, as if they literally mean the same thing. However, while the two have been crafted and designed to protect Personal Identifiable Information...

Data Security Issues With The Remote Workforce

Data Security Issues With The Remote Workforce

The concept of the Remote Workforce has now become a reality for the long term, going well into 2021, and possibly even beyond. While most Cyber experts were predicting that a near 99% Virtual Workforce was possible in 4-5 years, it came to fruition in just a matter...