secau Security Research Centre, Edith Cowan University, Perth, Western Australia
iPhone logical backup files can provide forensic examiners with almost the entire contents of its host phone up until the point that the backup took place. This paper serves to provide an overview of the information attainable via the analysis of an iPhone backup, making references to the applicability of such analysis in the digital forensics field. The paper introduces the backup directories for various common operating systems, and exposes the contents. Information about the property lists (plist files) containing information about the backed-up device and its contents are detailed, along with the mbdb/mbdx database files, and finally the extension-less backup files, is provided. Tools such as the iphonebackupbrowser, iPhone/iPod Backup Extractor and Oxygen Forensic Suite are discussed for their suitability with extracting iPhone backup data. Finally, a taxonomy of potential information of forensic interest is included, highlighting common filenames; the contained information; and their purpose in an investigation.