Don't beat me up too badly. New to the mobile forensics world. Have been doing disk forensics for a little while.
So my initial question is - is an itunes backup the same as a forensic image? Obviously the answer would be no since images are bit by bit and can potentially get a lot more information. However, that being said, since Apple locks down their phones pretty tightly and no one can actually obtain a true physical image of an iphone, how close is a logical image to an itunes backup….date wise?
What all would you be missing from an itunes backup vs a logical? just deleted?
A backup is just that, a backup. Not ideal but might be the only thing available to you in some situations. With iOS most people are limited to an iTunes backup unless the phone is jailbroken or you have access to a GrayKey or Cellebrite's services.
The limitations of a backup are that you're connecting through an API and the device is letting you pull specific data that it allows. You're limited by permissions and the API. Also, each app chooses if it gets backed up and what from that app gets backed up so if an app chooses not to be backed up, you're not getting anything (which they can also change their mind in newer versions).
You're not getting unallocated/deleted data even in a file system dump (though you could get deleted records inside databases, etc…). I'm not sure what you're referring to when you say logical, technically an iTunes backup and a full file system dump are both logical images that you create. The difference between the two is basically your permission level on the device.
So short version to your question, is it the same as a forensic image? No. Is it the only thing you're going to get and can you use it forensically (maintain integrity/chain of custody) after it's been acquired? Sure thing.
Sort of what I was alluding to in that it is not the same as a forensic image but with Iphones there aren't really forensic images. Unless, as you stated, you had the services of Graykey, cellebrite, etc.
Logical image is what cellebrite calls their images because it does not actually get a physical. (with their software)
So an intunes backup in the cloud, for example, is getting a good bit of everything on the phone outside of unallocated/deleted and what an app does not choose to backup.
iCloud backups are still limited to app data that the specified app chooses to backup so it's not much better than an iTunes backup. You may also get additional data from iCloud that's stored in the cloud but not part of the backup but that's separate from the backup itself.