Authors: Heather Mahalik
DFRWS USA 2020
Understanding how an iOS device was setup is the first step in determine who is responsible for artifacts and activities. Think about how frequently we work cases where the person claims “it wasn’t me. The device arrived this way.” Is is our duty to determine how the data came to be. Was the device activated fresh out of the box and the user started fresh? Was the device restored from iCloud? Was the device restored via an iTunes backup? Why does this matter? Can you tell if the device was wiped prior to setup? All of the simple questions can be answered with some testing and validation.