A wealth of information is stored on any computer that has been previously synced with an iOS device. These computers, commonly referred to as host computers, can have historical data and passcode-bypass certificates. In a criminal investigation, a search warrant can be obtained to seize a computer that belongs to a suspect to access the backup and lockdown certificates. For all other cases, consent or permissible access is required. iOS backup file forensics mainly involves analyzing an offline backup produced by an iPhone, iPad, iPod touch, and/or Apple Watch. The Apple Watch data will be contained within the iPhone backup to which it is synced.
The iTunes backup method is also useful in cases when physical, filesystem, and logical acquisition of an iOS device is not feasible. In this situation, examiners essentially create an iTunes backup of the device and analyze...