iOS (pronounced i-O.S.) is the name of the operating system for Apple's mobile devices (iPhone/iPad/iPod Touch).
iOS runs a reduced variant of OSX and HFSX as a file system.
A majority of the useful information is stored in /private/var2/mobile/ However there is other useful information stored in the keychains and db folders.
iOS uses sqlite and plist files to store information.
This contains three folders: Applications, Library and Media
Applications contains a series of folders, which contain the data for all of the apps stored on the phone. The name of each app is stored in its iTunesMetadata.plist.
Library contains the most useful information: - Address Book - Calendar - Safari - favorites, open tabs, web history - Mail - mail is encrypted and therefore requires the keychain to be decrypted before it can be accessed - SMS - sms.db, which may include deleted SMS messages - Notes - notes.sqlite, which may include deleted notes - Voicemail - Spotlight - Spotlight database may contain text messages that have since been deleted.
Media contains all Photos loaded onto the device, Books, Purchases, Podcasts, Recordings and Pictures/Videos taken
There are several tools available to extract information out of iOS operating systems (listed alphabetically):
- Aceso by Radio Tactics 1
- Lantern by Katana Forensics 3
- Nuix Desktop and Proof Finder by Nuix.
- Oxygen Forensic Suite by Oxygen Software 4
- UFED and Physical Analyzer by Cellebrite 5
- XRY by Micro Systemation