The first step in the iPhone forensic examination is to acquire the data from the device. There are different ways to acquire data from an iPhone. This chapter covered physical acquisition techniques and techniques to bypass passcodes and data encryptions using open source methods. Physical acquisition is preferred as it recovers more data from the device; however, it is not possible to perform physical acquisition on all iOS devices. The following table summarizes the physical acquisition possibilities on iOS devices:
Model |
Physical acquisition |
---|---|
iPhone 3G, 3GS, 4 |
Yes (if no/easy passcode) |
iPad 1 | |
iPod touch 2G, 3G, 4G | |
iPhone 4S, 5 |
Only if jailbroken, and until iOS 6.1.2 (if no/easy passcode) |
iPad 2, 3, 4 and iPad mini | |
iPod touch 5G | |
iPhone 5S and 5C |
No |
While physical acquisition is the best method for forensically obtaining the majority of the data from iOS devices, logical or backup files may exist or be the only method to extract data from the device. The next chapter...