ZENA FORENSICS

Following the previous post dedicated to Android devices , this article outlines the data available on iOS devices, depending on the different forensic acquisitions that can be made. The objective is not to propose dedicated guidelines, but to provide a comparison between the data present within different acquisitions that can be obtained from an iOS device, analyzing the specificities of Apple's operating system and related forensic implications. iOS Data Protection: The Core of Apple Security The two main elements that determine data extraction possibilities from an iOS smartphone are the device state (AFU or BFU) and the availability/knowledge of the access code/password. In the iOS ecosystem, the main reference is Apple's Platform Security document , available on Apple's official website. The concept of Data Protection is particularly relevant - Apple's proprietary technology used to protect data stored on devices with Apple SoC. Data Protection Overview Apple use...

When I first started working in Digital Forensics, one of the fundamental principles was to always create a bit‑by‑bit copy of the storage device . Back then, we typically dealt with hard drives (internal and external), memory cards, and optical media. The choices to be made—then as now—revolved around how to access the device, giving rise to the concept of order of volatility . Simply put, this means collecting the data that is most likely to disappear first. Traditionally, the main decision was whether to perform live forensics or to “pull the plug” and create a disk image. In practice, the challenge was always finding the most effective method—hardware, software, or a combination—to access stored data without modifying it . In the pre-smartphone era, mobile devices followed a similar logic, but the need for live acquisition —acquiring data while the device was powered on—was already evident. Today, both the world and digital forensics have changed significantly. Several factors...