On iOS devices, due the well-known os restrictions, logical acquisition is the most common type of data extraction during digital forensic investigations. There are a lot of commercial forensic tools able to perform this step, but this type of acquisition can be also perfomed using an open source tool.



There is a cross-platform protocol library called libimobiledevice [1] that allows to communicate with an iOS device and extract data from it via the backup procedure.

First, you need to install libimobiledevice tools:

sudo apt install usbmuxd libimobiledevice6 libimobiledevice-utils ideviceinstaller

Then connect the device to usb port on your forensic workstation and accept the pair request on device.
Finally, start pairing process:

$ idevicepair pair
SUCCESS: Paired with device c878879d96a910457a3007098693feee2d5XXXXXX

Now, you can start the backup process:

idevicebackup2 backup ~/iOSBackups/

After the backup operation is completed you get a directory named like the device UDID (es. c878879d96a910457a3007098693feee2d5XXXXXX).

In order to perform a correct examination of the backup, you need to extract it:

idevicebackup2 unback ~/iOSBackups/

The command creates another directory, named _unback_, with a directory structure browsable with file manager or with your favorite forensic tool.


References

  1. https://github.com/libimobiledevice