once we have the access to the iCloud, we can subtract the data from the device (if multiple devices are found).
The backup can then be downloaded to our own environment to be able to investigate the data using our forensic software.
In the example below we use Lantern to make the iCloud backup visible, but we can also do this using the Ufed Physical Analyser.
After reading the data into our software, we can generate a report of the found results.
The data can be data like Whatsapp-messages, SMS-messges, iMessages, Calendar information, internethistory, voicememos, pictures, video’s chatsessions and so on. In some cases the iCloud backup is relatively old and can provide information that cannot be found on the mobile phone anymore.