Whether a backup is stored in iCloud or on the local machine may determine your amount of access. For example, if you are allowed to examine data at rest, you should be able to examine the iTunes or Finder backups. However, if you don’t have access to the user’s cloud information, whether it be due to lack of password and account information or legal reasons, you are going to be restricted from what you can examine. The backup files themselves should not matter, depending on the tools that you have. Most tools should support ingesting and parsing of both iTunes and iCloud backups. Open-source tools seem to struggle with encryption, and this may be something you stumble upon. If you want to see this in action, attempt to load Lab 1.2 into iBackupBot in the VM. You will get an error about the backup being encrypted. The issue is not the cracking the iTunes passcode, but instead leveraging it to decrypt the backup.  These methods will be covered in the upcoming slides.

The most important thing to realize is that all backups likely contain unique data. I back up to my Mac and PC. This is not a frequent occurrence and to be honest I am not sure of the frequency. However, I back up to iCloud every single night. See the difference?

The options for iCloud are presented to the user when they log into iCloud or via the iOS device interface. Features like “Find My” are also available and should be considered later in this section in the spyware portion of this course. Most are aware that iCloud enables the user to place the iOS device into Lost Mode; or Erase the iOS device.