This chapter covered various data analysis techniques and specified the locations for common artifacts within the iOS device's filesystem. When writing this chapter, we aimed to cover the most popular artifacts that tie into most investigations. Clearly, it is impossible to cover them all. We hope that once you learn how to extract data from SQLite and plist files, intuition and persistence will assist you in parsing the artifacts that were not covered.

Keep in mind that most open-source and commercial tools are able to pull active and deleted data from common database files, such as contacts, calls, SMS messages, and more, but they often overlook the third-party application database files. Our best advice is to know how to recover the data manually, just in case you need to validate your findings or testify as to how your tool functions.

We covered techniques to recover deleted SQLite records that prove useful in most iOS device investigations. Again, the acquisition method, encoding, and encryption schemas can affect the amount of data that you can recover during your examination.

In the next chapter, iOS Forensic Tools, we will introduce you to the most popular mobile forensic tools—Cellebrite UFED Physical Analyzer, Magnet AXIOM, Elcomsoft Phone Viewer, and Belkasoft Evidence Center.