A Physical acquisition of an iOS device provides access to the full file system of the device. By default, the System partition is set read-only by Apple, preventing access to the user. The Data partition is used to store user-created files, applications, and more.
The Library, Applications, and Media directories are where a majority of the user data gets stored, and most of this directory is contained in a backup file when the user backs up the device using iTunes.
Jailbreaking an iOS device provides the user with read/write access to the System partition. Accessing the System partition provides users with more control and the ability to install non-authorized third-party applications but voids the Apple warranty. Old methods for Physical acquisition used to force forensic examiners into jailbreaking a device in order to gain access.
The /private/var/mobile holds most of the user data for the iOS device. The Applications folder holds all downloaded apps and associated data. Each folder under the applications is named according to the application identifier. The remaining data is stored in the Library and Media folders.
Examples of the Physical partitions are shown below. Notice that both the System and Data partition rely on the HFS+ file system. The System partition is displayed on the left and the Data partition is displayed on the right. Again, the method of acquisition may affect the data that is shown in Physical Analyzer. The System partition has the volume name of "Telluride9A405.N92OS." This volume name can be broken down as follows:1
Codename = Telluride
Build = 9A405
Reference:
[1] https://for585.com/iwiki (The iPhone Wiki Page)
When examining an iOS file system dump (for those devices not using the A5 chip) in Physical Analyzer, two partitions are listed under the File Systems. The first partition is named for the iOS device itself. For example, "Heather's iPhone" would represent an iPhone that was named Heather by the user. The second partition is the TarArchive, which contains all the backup files, similar to what is created when backed up with iTunes.
For iOS devices using the A5+ chip, the file system may simply be one zip file containing the AFC Service, Backup Service, and Lockdown Service data.
An advanced logical/file system dump may not provide access to deleted data during parsing. However, deleted data may be residing in the database files and can be recovered using methods taught in this course.
Keep in mind that a “physical” keyword search does not work on advanced logical/file system dumps. Because the data is a .tar archive of a backup, there isn’t a raw container or image file to search. Thus, logical searching provides the most results. Oxygen is a better tool to use when it comes to searching content on iOS advanced logical or file system dumps.