Geus J, Gruber J, Wozar J, Freiling F (2025)
Publication Language: English
Publication Type: Journal article
Publication year: 2025
Book Volume: 54
Pages Range: 1-10
Article Number: 301978
URI: https://www.sciencedirect.com/science/article/pii/S2666281725001179
DOI: 10.1016/j.fsidi.2025.301978
Open Access Link: https://doi.org/10.1016/j.fsidi.2025.301978
Mobile phone data is crucial for gathering investigative leads and solving cases in most criminal investigations. An increasingly common method for collecting mobile data as evidence is acquiring phone backups stored in manufacturer cloud services. However, the reliability of this evidence source compared to the original device has yet to be thoroughly assessed. In this work, we investigate the accuracy and completeness of iOS backups stored in iCloud. We propose a novel evaluation methodology based on dynamic binary instrumentation, enabling precise tracking of backup contents during the restore process. Using this approach, we compare a full file system extraction and a local backup of an iOS device to a backup downloaded from iCloud and restored on a test device. Our analysis reveals significant discrepancies in timestamp information and minor differences in user data—both critical considerations when analyzing iOS backups in criminal investigations.
APA:
Geus, J., Gruber, J., Wozar, J., & Freiling, F. (2025). From sync to seizure: A binary instrumentation-based evaluation of the iCloud backup process. Forensic Science International: Digital Investigation, 54, 1-10. https://doi.org/10.1016/j.fsidi.2025.301978
MLA:
Geus, Julian, et al. "From sync to seizure: A binary instrumentation-based evaluation of the iCloud backup process." Forensic Science International: Digital Investigation 54 (2025): 1-10.
BibTeX: Download