A wealth of information is stored on any computer that has been previously synced with an iOS device. These computers, commonly referred to as host computers, can have historical data and passcode bypass certificates. In a criminal investigation, a search warrant can be obtained to seize a computer that belongs to a suspect, in order to access the backup and lockdown certificates. For all other cases, consent or permissible access is required. iOS backup file forensics mainly involves analyzing an offline backup produced by an iPhone or an iPad. Apple Watch data will be contained within the iPhone backup to which it is synced.

The iTunes backup method is also useful in cases where other acquisition types are not feasible. In this situation, you essentially create an iTunes backup of the device and analyze it using forensic software. Thus, it is important for you to completely understand the backup process and the tools involved, to ensure tools are capable of creating a forensic backup without contaminating the devices with other existing data in iTunes.

iPhone backup files can be created using the iTunes software, which is available for the macOS and Windows platforms. iTunes is a free utility provided by Apple for data synchronization and management between iOS devices and the computer. iTunes uses Apple's proprietary synchronization protocol to copy data from the iOS device to a computer. For example, an iPhone can be synced with a computer using a cable or Wi-Fi. iTunes provides an option for an encrypted backup, but, by default, it creates an unencrypted backup whenever an iPhone is synced. Encrypted backups, when cracked, provide additional access to data stored on the iOS device. This will be discussed later in this chapter.

Users often create backup files to protect their data in the event that their device is damaged or lost. Either a forensic backup is created to act as the best evidence or data is simply extracted from existing iOS backup files to search for legacy information. For example, if you are under investigation and you delete files or wipe your iPhone, your backup files on your iCloud and your Mac still exist. Depending on whether iTunes or iCloud was used, multiple backups for the same device may exist. You will have to analyze each backup forensically to uncover artifacts relating to the investigation.

iTunes is configured to automatically initiate the synchronization process once the iOS device is connected to the computer. To avoid unintended data exchange between the iOS device and the computer, disable the automatic synchronization process before connecting your evidence to the forensic workstation. The screenshot in Step 2 of the following process illustrates the option that disables automatic syncing in iTunes version 12.9.4.102.

To disable auto-syncing in iTunes, perform the following steps:

1. Navigate to Edit | Preferences | Devices.
2. Check Prevent iPods, iPhones, and iPads from syncing automatically and click on the OK button, as illustrated in the following screenshot:

3. As seen in the preceding screenshot, iOS backup files exist on the system. If this were a forensic workstation, these backup files wouldn't exist or would be permanently removed to prevent cross-contamination.

4. Once you verify the synchronization settings, connect the iOS device to the computer using a Universal Serial Bus (USB) cable. If the connected device is not protected with a passcode or it was already connected to the computer recently, iTunes immediately recognizes the device; otherwise, you'll have to enter the passcode. This can be verified by the iPhone icon displayed on the left-hand side of the iTunes interface, as illustrated in the following screenshot:

5. Before iTunes can access the iPhone, you must enable Trust between the computer and the phone. You will be prompted to press Continue on the computer (as highlighted in the following screenshot) and select Trust on the iPhone. With iOS 11, you must also enter the device's passcode:

6. Once iTunes recognizes the device, a single click on the iPhone icon displays the iPhone summary, including the iPhone's name, capacity, firmware version, serial number, free space, and phone number. The iPhone Summary page also displays the options to create backups. The process of creating a backup will be discussed in the following section.

Now, we are ready to start backing up the device. The next section will walk you through this process.