A logical acquisition captures a part of what is accessible to the user; in other words, what is included in an iTunes backup. It means that we won't get any deleted files, but, thanks to SQLite databases' free lists and unallocated space, we can recover deleted records, including SMS and other chats, browsing history, and so on. We will discuss recovering SQLite data and deleted artifacts in Chapter 5, iOS Data Analysis and Recovery.

Logical acquisition is the simplest way to ascertain whether the device is unlocked as it simply uses the built-in backup mechanism. Most tools and methods that support the logical acquisition of iOS devices will fail if the device is locked. Some think that if a physical image is captured, there is little to no need for a logical acquisition. However, not all data is parsed in a physical image, which is why having access to a logical image, which results in readable data, will assist you in digging deep into the physical image for artifacts to support your forensic investigation.

Logical acquisition is the fastest, easiest, and cheapest way to gain access to data stored on an iOS device. There are a variety of tools, ranging from commercial to free, that are capable of capturing logical images. Most of these tools require that the device be unlocked, or access to the plist file from the host machine be readily available.