Howdy folks,
Is there any forensic/chain of custody issue in simply using iTunes Backup to preserve iOS devices? That is, is any significant metadata affected on the device as a result of such a preservation method?
As it seems, most tools such as Oxygen Forensic use the iTunes Backup method to extract the data anyhow.
Once extracted, tools can be run on the backup data.
Anything I am missing?
Many thanks! idea mrgreen
I think all the forensic tools can guarantee the data flow is single direction (from mobile phone to computer). However, if you just use the normal itunes to backup the data from iPhone, you may have a chance due to miss config the itunes to add or remove data from the iPhone
Best practice is to create an encrypted iTunes mobile backup rather than a non-encrypted mobile backup as the encryption process will extract more data from the iPhone during the mobile backup creation process.
You can simply use 1234 as the iTunes encryption password.
Belkasoft Acquisition Tool and Magnet Acquire are free iOS acquisition tools that you may as well use instead of iTunes…
The forensic programs usually are user interfaces for iTunes and helper processes running in the background.
Always encrypt the iTunes backup you create, it's not only a matter of security, but also an extended feature settings to gain more data.
If you got time, do a comparison with the same device with encrypted and non-encrypted iTunes backup, so you can see what you would be missing with non-encrypted method.
…and write a feedback here with your results )