Third-party applications that are downloaded and installed from the App Store—including applications such as Facebook, WhatsApp, Viber, Threema, Tango, Skype, and Gmail—contain a wealth of information that is useful for an investigation. Some third-party applications use Base64 encoding, which needs to be converted for viewing purposes as well as encryption. Applications that encrypt the database file may prevent you from accessing the data residing in the tables. Encryption varies among these applications, based on the application and iOS versions.

A subdirectory with a universally unique identifier (UUID) is created for each application that is installed on the device in the /private/var/mobile/Containers/Data/Application directory. Most of the files stored in the application's directory are in the SQLite and plist format. Each file must be examined for relevance. We recommend using Belkasoft Evidence Center, Cellebrite UFED Physical Analyzer, Elcomsoft Phone Viewer, and Magnet AXIOM when possible to extract these artifacts quickly, before going back and manually running queries and parsing the data.

Also, information about installed applications can be gathered from the applicationState.db database, located at /HomeDomain/Library/FrontBoard. This is another SQLite database and can be analyzed with an appropriate viewer of the examiner's choice.