A key aspect in iOS device forensics is to examine and analyze the data acquired to interpret the evidence. Data on most iOS devices is encrypted, and it requires that the data partition is decrypted prior to an examination. In the previous chapters, you learned various techniques to acquire data from an iOS device. The raw disk image obtained during physical acquisition, the file system dump, or the logical or backup file contains hundreds of data files that are often decrypted by the forensic tools described in earlier chapters. Even when the data is parsed and decrypted by the forensic tool, manual analysis may be required to uncover additional artifacts or to simply validate your findings. This chapter ...