Cookies can be recovered from /private/var/mobile/Library/Cookies/Cookies.binarycookies. This file is a standard binary file containing cookies that are saved when web pages are accessed on the device. This information can be a good indication of what websites the user has been actively visiting. Keep in mind that third-party applications may also contain this file.

To convert the binary cookie to human readable format, run the BinaryCookieReader.py Python script on the cookie file, as in the following command (the Python script source code is available in the code bundle of the book):

$python BinaryCookieReader.py Cookies.binarycookies
Cookie :  __utma=167051323.813879307.1359034257.1367989551.1386632713.9;  domain=.testflightapp.com; path=/; expires=Wed, 09 Dec 2015; 
Cookie : __utmb=167051323.24.8.1386633092975;  domain=.testflightapp.com; path=/; expires=Tue, 10 Dec 2013; 
Cookie :  __utmz=167051323.1386632713.9.1.utmcsr=(direct)|utmccn=(direct)|utmcm  d=(none); domain=.testflightapp.com; path=/; expires=Tue, 10 Jun  2014; 
Cookie : tfapp=1d29da4a798a90186f1d4bfce3ce2f23;  domain=.testflightapp.com; path=/; expires=Thu, 09 Feb 2017;
Cookie : user_segment=Prospect; domain=.testflightapp.com; path=/;  expires=Wed, 08 Jan 2014;  [...]

Keyboard cache is captured and saved in the dynamic-text.dat file. The file is located at /private/var/mobile/Library/Keyboard/dynamic-text.dat and contains keyboard cache, which comprises of text entered by the user. This text is cached as part of the device's autocorrect feature, and it was designed to autocomplete the predictive common words as well as cache words typed by the user on the device. The file keeps a list of approximately 600 words per language that are used on the iOS device. Commonly, this file is the only source of the artifact should the data be inaccessible, encrypted, or permanently deleted from the iOS device.

The dynamic-text.dat is a binary file, and it can be viewed using a hex editor. This file may contain passwords that are cached by the iOS device, and they can be used to achieve brute force attacks on the device or an encrypted backup of the device. This is sometimes one of the best artifacts recovered from an iOS device.

Photos are stored in a directory located at /private/var/mobile/Media/DCIM/, which contains the photos taken with the device's built-in camera, screenshots, selfies, photostream, recently deleted photos, and accompanying thumbnails. Some third-party applications will also store photos taken in this directory. Every photo stored in the DCIM folder contains EXIF (Exchangeable Image File Format) data. EXIF data stored in the photo can be extracted using exiftool, which can be downloaded from http://www.sno.phy.queensu.ca/~phil/exiftool/. EXIF data may also contain the geographical information when a photo is tagged with the user's geo location if the user has enabled location permissions on the iOS device.

The current background wallpaper set for the iOS device can be recovered from the LockBackgroundThumbnail.jpg file that is found in /private/var/mobile/Library/SpringBoard/LockBackgroundThumbnail.jpg. This is complemented with a thumbnail named in the same directory. The wallpaper picture may contain identifying information about the user, which could help in a missing persons case or an iOS device recovered from a theft investigation.

The snapshots directory contains screenshots of the most recent states of built-in applications at the time that they were suspended. This directory is located in /private/var/mobile/Library/Caches/Snapshots/. This file may not be accessible if a physical acquisition is not obtained. In this instance, carving for photos is the best recovery attempt. Every time an application is suspended to the background by clicking on the Home button, a snapshot is taken to produce a nice shrinking effect. Third-party applications also store the snapshot cache inside their application's folder.

The iPhone allows a user to record voice memos very easily. The recorded voice memos are stored in the /private/var/mobile/Media/Recordings/ directory. Recordings here could be used to identify a person, based on their voice, and they may also contain information, such as voice reminders, which won't be stored in the calendar database. Recordings provide a lot of information to the examiner as they are user-created and often not deleted.

Third-party applications, which are downloaded and installed from the App Store, include applications, such as Facebook, WhatsApp, Viber, Threema, Tango, Skype, Gmail, and more, contain a wealth of information that is useful for an investigation. Some third-party applications use the Base64 encoding, which needs to be converted for viewing purposes as well as encryption. Applications that encrypt the database file may prevent the examiner from accessing the data residing in the tables. Encryption varies amongst these applications based on the application and iOS versions.

A unique subdirectory GUI is created for each application that is installed on the device in the /private/var/mobile/Applications/ directory. Most of the files stored in the application's directory are in the SQLite and plist format. Each file must be examined for relevance. We recommend using Oxygen Forensics and IEF Mobile when possible to extract these artifacts quickly before going back and manually running queries and parsing the data.