All applications are stored in the data partition of the iOS device. The acquisition method used to obtain the forensic image may affect the access provided to the application data for examination. The applications and associated user data may be stored in more than one location on the device. Although the most common area to recover application data is the /private/var/mobile/Containers/Data/Application directory, traces may exist in other locations.^{1, 2} Another common location is /private/var/mobile/Containers/Shared/AppGroup. This directory may store additional files and databases of interest. The best method for recovering all data relating to a specific application is to conduct a physical keyword search in a tool such as Physical Analyzer or a content search in Oxygen Forensics. If you simply have a logical dump to examine, the applications will be listed under /applications.

iOS applications are stored in the /private/var/mobile/Containers/Data/Application and /private/var/mobile/Containers/Shared/AppGroup on the data partition. The Application folder is named according to the application identifier. For example, Facebook may be listed as FEE2B8A6-C70C-4BAA-AE79-D3A4996FF496. That folder contains the Facebook.app folder, Documents, Library, and tmp folders. It is best to examine each directory if databases and files of interest cannot be located.

References:

[1] Andrew Hoog and Katie Strzempka, iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices (Waltham, MA: Elsevier, 2011).

[2] Heather Mahalik, Rohit Tamma, and Satish Bommisetty, Practical Mobile Forensics, Second Edition (Birmingham, UK: Packt, 2016).

The Application folder contains four separate folders, each of which are explained here:¹

  •  Documents folder: Contains the following files, which are required by the application to function; these are generally generic files (such as icons) that are present in the application itself:
a. plists
b. text docs
c. images

  •  Library folder: Shows traces of user activity
a. cached data
b. cookies
c. preferences (user login data may be found here)
d. WebKit data (if applicable)

  •  Application code

  •  TMP folder: Commonly empty, but may be used by the application to store temporary files