iOS Forensics: how to perform a logical acquisition with libimobiledevice

On iOS devices, due the well-known os restrictions, logical acquisition is the most common type of data extraction during digital forensic investigations. There are a lot of commercial forensic tools able to perform this step, but this type of acquisition can be also perfomed using an open source tool.

There is a cross-platform protocol library called libimobiledevice [1] that allows to communicate with an iOS device and extract data from it via the backup procedure.

First, you need to install libimobiledevice tools:

sudo apt install usbmuxd libimobiledevice6 libimobiledevice-utils ideviceinstaller

Then connect the device to usb port on your forensic workstation and accept the pair request on device.
Finally, start pairing process:

$ idevicepair pair
SUCCESS: Paired with device c878879d96a910457a3007098693feee2d5XXXXXX

Now, you can start the backup process:

idevicebackup2 backup ~/iOSBackups/

After the backup operation is completed you get a directory named like the device UDID (es. c878879d96a910457a3007098693feee2d5XXXXXX).

In order to perform a correct examination of the backup, you need to extract it:

idevicebackup2 unback ~/iOSBackups/

The command creates another directory, named _unback_, with a directory structure browsable with file manager or with your favorite forensic tool.



Related posts

  1. dfir_ntfs: a forensic parser for NTFS filesystems
  2. iLEAPP: an iOS logs, events, and plists parser
  3. How smartphones reacts to IMSI catching attacks?
  4. How to sort and organize files recovered by PhotoRec
  5. How many data are shared by iOS and Android telemetry?