iOS uses a highly structured and sandboxed filesystem designed for security and isolation. Unlike Android, iOS restricts nearly all direct file access, making forensic acquisition more challenging. Understanding how data is stored across the system, app sandboxes, and device partitions is essential for effective mobile forensics.

This chapter explains the iOS file layout, key evidence locations, important system directories, app data storage, and how iOS security affects forensic extraction.

iOS File System Overview

iOS is built on a Unix-like architecture (Darwin) and uses a sandbox model that isolates each app. Forensic evidence lives across:

System partitions
User data partition
App containers
Keychain
Logs
Databases
Media directories

Newer iOS versions introduce strong encryption and strict access control, requiring specialized forensic tools.

Core iOS Partitions

1. System Partition (Root Filesystem)

Read-only on normal devices.

Contains:

iOS operating system
Default apps
Frameworks
Device libraries
System binaries

Rarely changes except during system updates.

2. Data Partition (User Data)

Most important forensic partition.

Contains:

App data
Messages
Photos
Databases
Keychain
User accounts
System logs
Preferences

Mounted at:

/private/var/

Most evidence is stored under /private/var/mobile.

Important Directories in iOS Forensics

1. /private/var/mobile/

The primary evidence location for investigators.

Contains:

App data
Messages (SMS/iMessage)
Contacts
Call history
Keychain data (in encrypted form)
Media files

This is the “home directory” of the user.

2. /private/var/mobile/Containers/

App sandboxes are stored here.

Paths:

/private/var/mobile/Containers/Data/Application/
/private/var/mobile/Containers/Bundle/Application/

Each app has two main folders:

Data/Application/

Contains:

SQLite databases
Documents
Cache
Preferences
Temp files

Bundle/Application/

Contains:

App binaries
Resources

These container folders contain the majority of app-related forensic evidence.

3. /private/var/mobile/Library/

Another critical evidence directory.

Contains:

SMS database
Call history
Notes
Safari data
Keyboard dictionary
Maps data
Preferences

Important subfolders:

SMS:

Library/SMS/sms.db

Call History:

Library/CallHistoryDB/CallHistory.storedata

Address Book (Contacts):

Library/AddressBook/

Notes:

Library/Notes/

Safari:

Library/Safari/

Keyboard Dictionary:

Library/Keyboard/

These contain high-value user evidence.

4. /private/var/mobile/Media/

Stores all user-created media.

Contains:

Photos
Videos
Camera Roll
Screenshots
Recordings

Paths:

/private/var/mobile/Media/DCIM/
/private/var/mobile/Media/PhotoData/

PhotoData metadata includes:

EXIF
Timestamps
Geolocation
Edit history

5. /private/var/root/

Contains system-level data (less relevant for user forensics unless device is jailbroken).

6. /private/var/logs/

Contains logs such as:

Crash logs
Wi-Fi logs
System diagnostics

Important for understanding device behavior.

7. /System/

Holds the OS framework.
Rarely contains user-level evidence.

Important Evidence Files & Databases

1. Messages (SMS/iMessage)

Stored in:

/private/var/mobile/Library/SMS/sms.db

Contains:

Text messages
iMessages
Attachments (links to media folders)
Sender/receiver metadata

2. Call History

Stored in:

/private/var/mobile/Library/CallHistoryDB/

3. Contacts

Stored in:

/private/var/mobile/Library/AddressBook/

4. Photos & Videos

Located in:

/private/var/mobile/Media/DCIM/
/private/var/mobile/Media/PhotoData/

EXIF metadata includes:

GPS location
Camera model
Timestamp
Edit history

5. App Data

Each app stores data in:

/private/var/mobile/Containers/Data/Application/<UUID>/

Inside:

Documents (user files)
Library (databases, preferences)
tmp (temporary data)

This is essential for social media, messaging, and browsing apps.

6. Keychain

Stores:

Passwords
Tokens
Certificates
Wi-Fi keys

Heavily encrypted using hardware keys.

7. Safari Data

Stored in:

/private/var/mobile/Library/Safari/

Contains:

History.db
Bookmarks
Cache
Cookies

File System Types Used in iOS

iOS uses:

APFS (Apple File System) for all modern devices
Strong encryption via:
- AES hardware encryption
- Secure Enclave
- File-Based Encryption (FBE)

APFS snapshots may store historical system states.

Encryption Impact on Forensics

Apple incorporates multiple encryption layers:

1. Device Encryption

Data unavailable without passcode.

2. Per-file Encryption

Each file has its own key.

3. Secure Enclave

Hardware-based key protection.

4. Data Protection Classes

Files available only under certain device states:

After first unlock
Always
When locked

Investigators need correct extraction level (logical, backup, full file system).

Extraction Challenges

Full file system extraction requires jailbreak or specialized tools
Encrypted containers require device unlock
iCloud sync introduces remote evidence
Lockdown records needed for trusted pairing

Intel Dump

iOS stores most user data in /private/var/mobile/ and app containers in /private/var/mobile/Containers/.
High-value evidence includes SMS (sms.db), contacts, call logs, Safari history, photos, and app databases.
App data is isolated in Data/Application/<UUID>/ directories containing SQLite DBs, caches, documents, and preferences.
Photos and videos are located in /Media/DCIM/ and /Media/PhotoData/, with rich EXIF metadata.
APFS, Secure Enclave, and data protection classes make forensic extraction harder and require authorized unlocking or specialized tools.
Full-file-system access usually requires jailbreak, device unlock, or advanced commercial forensic tools.