The iOS backup file should provide full access to the file system (backup) of the Data Partition. The volume of the file system reflects the name of the device. For example, if the iPad was assigned the name “Heather's iPad”, the file system would be listed as "Heather's iPad" with the files and folders listed as directories within the volume.

The file system contains the database files that hold a vast amount of information relating to the data stored within the backup file. Database files for maps, location information, third-party applications, and standard communications are often not fully parsed by forensic tools, such as AXIOM, Inspector, Physical Analyzer, and Oxygen. Remember, the database files can be viewed in an SQLite Browser tool but must be examined in the Hex view to carve deleted data.

The other component of the backup includes plist files that are created with a backup. The Info.plist contains device information (equipment identifiers, applications installed, backup information, and so on). The Manifest.plist lists if the backup is encrypted. This comes into use and is required should the backup file need to be accessed forensically if it is locked. The Manifest.mbdb contains a listing of data stored in the backup. Even if the backup is encrypted, this data can be parsed for more information. Scripts for parsing the Manifest.mbdb can be found at https://github.com/halpomeranz/mbdbls. With iOS 10+, the manifest.mbdb was replaced with the manifest.db. You may find that this file can be encrypted!

For more information on how SQLite databases are formatted, refer to https://for585.com/sqlite.