When it comes to digital evidence, most investigators naturally focus on smartphones – and occasionally tablets. But the rest of the Apple ecosystem often goes unnoticed: Apple Watch, Apple TV, HomePod, even older iPod Touch models. These supplementary devices might seem irrelevant, but they can contain valuable digital artifacts: activity logs, Wi‑Fi credentials, leftover bits and pieces of information, system logs, and even synced photos.

The challenge isn’t just whether these devices hold data – it’s whether you can extract anything effectively and whether you should make the effort. In some cases, one can use checkm8 (a bootrom exploit affecting devices with A5 through A11 chips) extractions, which open the door to low-level access. In others, only logical access is possible – or no access at all, especially on newer A12+ devices. This article provides a practical view of what data you can realistically extract from supplementary Apple devices, how hard it is, and when it’s worth the effort.

Apple Ecosystem: overlooked devices

Beyond iPhones and iPads, Apple’s ecosystem includes other devices that can hold digital evidence – such as iPod Touch, Apple Watch, Apple TV, and HomePod. Each device type stores different data, applies various security mechanisms, and requires distinct extraction methods and approaches – many of which are supported in iOS Forensic Toolkit.

Some still support techniques from older iPhone forensics (thanks to checkm8 compatibility). Others require pre-configured log collection or offer only a handful of timestamped artifacts. Before dedicating effort, it’s critical to know what the device can store, how difficult the extraction will be, and whether that effort will benefit the investigation.

Apple iPod Touch

Though formally a music player, the iPod Touch is functionally similar to an iPhone (sans SIM). The final model – the 7th generation released back in 2019 (A10 SoC, just like in iPhone 7) – was declared obsolete in 2022. It supports up to iOS 15 and can store a full suite of synced user data: messages, keychain items, Safari history, notes, and more.

All models are vulnerable to bootloader exploit, enabling low-level extraction comparable to older iPhones. These devices are rare in casework, but analyzing one – when found – is almost always worthwhile.

Data you can extract:

• Messages (iMessage/SMS)
• Contacts, calendars, notes
• Safari browsing history
• Keychain (including stored passwords)
• Photos and videos
• Call history (FaceTime and CallKit calls)
• iCloud backups (with Apple ID access)

Access difficulty:

• iPhone-level protection: passcode, Touch ID
• Support bootloader exploit
• Support local and limited iCloud sync
• Device must be unlocked; passcode required

Apple Watch

Apple Watch models vary in capability and protection. Series 3 and earlier can support checkm8-based access, with full access to keychain data possible. Watches also contain synced data from paired iPhones (e.g., thumbnail images, call history) and maintain their own activity logs – which can be enabled with a Sysdiagnose profile for watchOS.

However, the biggest hurdle is access. A locked watch requires its 4-digit PIN – which cannot be brute-forced – or an unlocked paired iPhone (though that alone doesn’t grant full access). If both watch and iPhone are available and unlocked, the watch rarely adds anything new. But when seized separately or if you can bypass the lock, extraction may be worthwhile.

How is data extracted, exactly? It depends on the generation of the Apple Watch.

For the earliest model – Series 0 – full physical acquisition is possible. This includes a full image of the device data partition, and even passcode unlock.

For Series 1 to Series 3, data extraction is done using a bootloader exploit, allowing access to both the file system and the keychain. The amount and type of data recovered is comparable to what’s available from Series 0; however, passcode unlock is not available.

Starting with Series 4 and newer, only logical acquisition is possible. This typically includes mediafiles (including metadata) and system logs – but no access to the file system or keychain.

Data you can extract:

• Full keychain (via checkm8, on supported models)
• Activity, movement, heart rate logs
• Thumbnail images (occasionally)
• Connection profiles and network settings
• Sysdiagnose logs (if pre-installed)

Access difficulty:

• 4-digit PIN (no brute-force support)
• No biometrics; unlocking via paired iPhone possible (but extraction only possible with PIN)
• Sysdiagnose profile needed to generate the logs
• Series 3 and earlier support checkm8; newer models only support logical extraction

Apple TV

An Apple TV can still be a useful source of evidence: Wi‑Fi passwords, system logs, playback history, and occasionally synced photos. It lacks passcode protection. Older models (pre-A12) are vulnerable to checkm8, enabling deeper access. Logs are the most useful artifacts, helping establish usage timelines.

Apple TVs are common, and in cases where timestamps and usage data could matter, they’re worth analyzing. The forensic value of an Apple TV depends heavily on the model. All units up to and including the first-generation Apple TV 4K are vulnerable to a bootloader exploit, allowing full file system extraction and access to additional artifacts.

Early models (1st through 3rd generation) use a microUSB port for connection, while the Apple TV HD (formerly known as the 4th generation) features USB‑C. The first-generation Apple TV 4K lacks a built-in diagnostic port and requires a special adapter for access.

Starting with the second-generation Apple TV 4K, only limited logical analysis is available. These devices don’t generate backups, and accessible data is mostly limited to metadata and usage logs. The third-generation Apple TV 4K currently offers no viable connection method: one version lacks Ethernet altogether, while the other includes it – but there is no hidden Lightning port underneath.

The original Apple TV (1st gen, 2007) is not supported and is not considered a forensically relevant device.

Data you can extract:

• Wi‑Fi passwords
• Activity logs (power on/off, service use)
• Playback history
• Synced photos (if iCloud was enabled)
• App-specific files (via low-level extraction)

Access difficulty:

• No passcode or biometric protection
• Older models vulnerable to checkm8
• Newer models allow only limited logical extraction
• Recent units need proprietary adapter; earlier ones had USB‑C ports

Apple HomePod

The original HomePod (A8 chip) is vulnerable to checkm8, offering low-level access if you build a custom adapter (often 3D-printed). Still, the data stored is minimal – even less than Apple TV.

You might retrieve logs detailing music playback, Siri invocation timestamps, Wi‑Fi profiles, or some random (usually old) call metadata. If the goal is to establish presence in a location, these sparse logs may help – but it’s generally a low-yield effort unless specifically called for.

It’s worth noting that if the speaker is used as a hub for Apple Home, it can store surprisingly useful data – including records of when someone arrived or left, lights being turned on or off, and other smart home events tied to user activity.

Data you can extract:

• Activity logs
• Music playback history
• Siri invocation timestamps (not query content)
• Wi‑Fi network settings and passwords (from iCloud)
• Account metadata

Access difficulty:

• No passcode or biometric protection
• Only first-gen HomePod supports checkm8; later models do not
• Logical access is extremely limited
• Custom adapter needed (none commercially available)
• Stored data is sparse

Bottom Line: is it worth the effort?

Apple’s extended ecosystem includes many wearable and stationary devices – some holding full sets of user data, others only timestamp markers or duplicating info found on a smartphone.

The real question is not whether the data exists, but whether it’s worth extracting.

The key takeaway: don’t ignore these devices, but don’t chase them blindly either. If a device seems low-priority, it’s okay to delay analysis – just don’t discard it. But if it could help establish an alibi, construct a timeline, or fill in behavioral gaps, spending a few hours extracting its data is often time well spent.