Understanding the way that each platform stores data leads to better, more thorough examinations.

The bulk of the user data for iOS devices is contained in one or two different files (with the exception of any supporting audio/video/image/proprietary files). The iOS platform utilizes both the .plist and SQLite database files to store user-related content for each application. A bonus to third-party application analysis is that most of the data is uncovered from a mere file system dump of the device. App-related content is a dataset that is backed up on most platforms because the users require this data when they make improvements or changes to their mobile device firmware.

Several options for triaging an iOS device include:
Reviewing the Installed Applications: This is not always all-inclusive of the applications loaded on the device.
Expanding the file system: The iOS file system layout stores each of the native iOS applications under the Library folder (depicted at right in notes).

Here you will notice a folder for items such as Address Book, Call Logs, Calendar, SMS, and more. The location of third-party application files may vary based on the method of acquisition and the tool that is used to analyze the file system (as depicted in the slide above in the differences in displaying the filesystem between Axiom and Cellebrite).

Common locations for third-party application data:
private/var/mobile/Containers/Data/Application and private/var/mobile/Containers/Shared/AppGroup followed by the ”third-party application name folder” or GUID (which is unique in each location).