iOS Forensics: how to perform a logical acquisition with libimobiledevice
On iOS devices, due the well-known os restrictions, logical acquisition is the most common type of data extraction during digital forensic investigations. There are a lot of commercial forensic tools able to perform this step, but this type of acquisition can be also perfomed using an open source tool.
There is a cross-platform protocol library called libimobiledevice [1] that allows to communicate with an iOS device and extract data from it via the backup procedure.
First, you need to install libimobiledevice tools:
sudo apt install usbmuxd libimobiledevice6 libimobiledevice-utils ideviceinstaller
Then connect the device to usb port on your forensic workstation and accept the pair request on device.
Finally, start pairing process:
$ idevicepair pair SUCCESS: Paired with device c878879d96a910457a3007098693feee2d5XXXXXX
Now, you can start the backup process:
idevicebackup2 backup ~/iOSBackups/
After the backup operation is completed you get a directory named like the device UDID (es. c878879d96a910457a3007098693feee2d5XXXXXX).
In order to perform a correct examination of the backup, you need to extract it:
idevicebackup2 unback ~/iOSBackups/
The command creates another directory, named _unback_, with a directory structure browsable with file manager or with your favorite forensic tool.