Third-party applications, which are downloaded and installed from the App Store, including applications such as Facebook, WhatsApp, Viber, Threema, Tango, Skype, Gmail, and more, contain a wealth of information that is useful for an investigation. Some third-party applications use Base64 encoding, which needs to be converted for viewing purposes as well as encryption. Applications that encrypt the database file may prevent the examiner from accessing the data residing in the tables. Encryption varies among these applications based on the application and iOS versions.

A unique subdirectory GUI is created for each application that is installed on the device in the /private/var/mobile/App/ directory. Most of the files stored in the application's directory are in the SQLite and plist format. Each file must be examined for relevance. We recommend using Oxygen Forensics and Magnet AXIOM when possible to extract these artifacts quickly before going back and manually running queries and parsing the data.