In the previous chapter, we covered techniques to acquire data from an iOS device, which included logical and filesystem acquisition. This chapter covers techniques to acquire a backup of files from the device onto a computer or iCloud, using Apple's synchronization protocol. 

The physical acquisition of an iOS device provides the most data in an investigation, but you can also find a wealth of information in iOS backups. iOS device users have several options to back up the data present on their devices. Users can choose to back up the data to their computer, using the Apple iTunes software, or to the Apple cloud storage service known as iCloud. Every time an iPhone is synced with a computer or to iCloud, it creates a backup by copying the selected files from the device. The user can determine what is contained in the backup, so some backups may be more inclusive than others. Also, the user can back up to both a computer and iCloud and the data derived from each location may differ. This often occurs due to the limitations of iCloud's free storage. The user may simply back up photos and contacts to iCloud but may take a complete backup of all the data on their computer. As previously mentioned, physical acquisition provides the best access to all data on the iOS device; however, backups may be the only available source of digital evidence, especially if we are dealing with the most recent iOS devices.

In this chapter, we will cover the following topics:

• Working with iTunes backups
• Creating and analyzing backups with iTunes
• Extracting unencrypted backups
• Handling encrypted backup files
• Working with iCloud backups