Authors: Julian Geus, Jan Gruber, Jonas Wozar, Felix Freiling
DFRWS APAC 2025
Abstract
Mobile phone data is crucial for gathering investigative leads and solving cases in most criminal investigations. An increasingly common method for collecting mobile data as evidence is acquiring phone backups stored in manufacturer cloud services. However, the reliability of this evidence source compared to the original device has yet to be thoroughly assessed. In this work, we investigate the accuracy and completeness of iOS backups stored in iCloud. We propose a novel evaluation methodology based on dynamic binary instrumentation, enabling precise tracking of backup contents during the restore process. Using this approach, we compare a full file system extraction and a local backup of an iOS device to a backup downloaded from iCloud and restored on a test device. Our analysis reveals significant discrepancies in timestamp information and minor differences in user data—both critical considerations when analyzing iOS backups in criminal investigations.