iOS Forensics: how to perform a logical acquisition with libimobiledevice

On iOS devices, due the well-known os restrictions, logical acquisition is the most common type of data extraction during digital forensic investigations. There are a lot of commercial forensic tools able to perform this step, but this type of acquisition can be also perfomed using an open source tool.

There is a cross-platform protocol library called libimobiledevice [1] that allows to communicate with an iOS device and extract data from it via the backup procedure.

First, you need to install libimobiledevice tools:

sudo apt install usbmuxd libimobiledevice6 libimobiledevice-utils ideviceinstaller

Then connect the device to usb port on your forensic workstation and accept the pair request on device.
Finally, start pairing process:

$ idevicepair pair
SUCCESS: Paired with device c878879d96a910457a3007098693feee2d5XXXXXX

Now, you can start the backup process:

idevicebackup2 backup ~/iOSBackups/

After the backup operation is completed you get a directory named like the device UDID (es. c878879d96a910457a3007098693feee2d5XXXXXX).

In order to perform a correct examination of the backup, you need to extract it:

idevicebackup2 unback ~/iOSBackups/

The command creates another directory, named _unback_, with a directory structure browsable with file manager or with your favorite forensic tool.


References

  1. https://github.com/libimobiledevice

Related posts

  1. How to check Pegasus Spyware on your iPhone
  2. dfir_ntfs: a forensic parser for NTFS filesystems
  3. iLEAPP: an iOS logs, events, and plists parser
  4. How smartphones reacts to IMSI catching attacks?
  5. How to sort and organize files recovered by PhotoRec