In the previous chapter, we covered techniques to acquire data from an iOS device. This chapter covers techniques to acquire a backup of files from the device onto a computer or iCloud using Apple's synchronization protocol. 

The physical acquisition of an iOS device provides the most data in an investigation, but you can also find a wealth of information on iOS backups. iOS device users have several options to back up data present on their devices. Users can choose to back up data to their computer using the Apple iTunes software, or to the Apple cloud storage service known as iCloud. Every time an iPhone is synced with a computer or to iCloud, it creates a backup by copying the selected files from the device. The user can determine what is contained in the backup, so some may be more inclusive than others. Also, the user can back up to both a computer and iCloud, and the data derived from each location may differ. This often occurs due to the limitations of iCloud free storage. The user may simply back up photos and contacts to iCloud, but may take a complete backup of all data on their computer. As previously mentioned, physical acquisition provides the best access to all data on the iOS device; however, backups may be the only available source of digital evidence, especially if we are dealing with the most recent iOS devices.

In this chapter, we will cover the following topics:

• iTunes and iCloud backup files
• Creating and analyzing backup files
• How to handle encrypted backup files
• Backup file contents, file structure, and artifact recovery