This table illustrates the additional data that can be extracted from a jailbroken iOS device compared to an encrypted iTunes backup.
|
Category / Artefact |
Encrypted iTunes Backup |
Jailbroken Device Extraction (Full File System) |
Forensic Significance |
|
System Logs (/var/log, crash logs) |
❌ |
✅ |
Reveals app crashes, reboot events, timestamps, sometimes GPS fragments. |
|
App Sandboxes (complete) |
🔸 Partial (user data only) |
✅ |
Access to caches, tmp files, internal config and deleted artefacts from third-party apps. |
|
Keychain (incl. system, Wi-Fi, VPN creds) |
✅ (limited export subset) |
✅ (complete keychain database) |
Root keychain includes tokens, certificates, and secure app credentials not included in backups. |
|
Health & Fitness Data |
✅ |
✅ |
Same data, but on device includes raw samples, deleted entries, and metadata from com.apple.health.db. |
|
Safari Data |
✅ (History, bookmarks, autofill) |
✅ (Full caches, downloads, session states, favicons, cookies) |
Deleted browsing data recoverable. |
|
Messages (SMS/iMessage) |
✅ |
✅ |
Same core DB, but device holds attachments, sync logs, and deleted threads not exported. |
|
Third-party App Databases |
✅ (user-accessible areas) |
✅ (entire /var/mobile/Containers/Data/Application/) |
Provides tokens, hidden logs, deleted messages (e.g., WhatsApp, Telegram, Signal). |
|
Push Notification Logs |
❌ |
✅ |
/private/var/mobile/Library/PushStore/ contains notification content and timestamps. |
|
Location & GPS History |
✅ (limited, e.g. Maps history) |
✅ (consolidated.db, cache.db, visit_history.db) |
Provides raw location events, Wi-Fi geolocation, and background tracking. |
|
KnowledgeC Database (user behaviour analytics) |
❌ |
✅ |
Tracks app usage, screen on/off, keyboard activity — crucial for timelines. |
|
Screentime / Usage Stats (KnowledgeC subset) |
✅ (limited) |
✅ |
Detailed session timestamps, including background app use. |
|
Wi-Fi & Bluetooth Pairings |
✅ (limited) |
✅ (full /Library/Preferences & /SystemConfiguration) |
Includes timestamps, device addresses, and deleted networks. |
|
System & Daemon Configuration Files |
❌ |
✅ |
Shows installed profiles, VPN, APNs, system logs — evidence of tampering or MDM control. |
|
Caches, tmp, plist remnants |
❌ |
✅ |
Valuable for reconstruction of deleted artefacts. |
|
App binary & bundle inspection |
❌ |
✅ |
Allows reverse engineering of app version behaviour (e.g. verifying version with CVE). |
|
Notification Centre contents |
❌ |
✅ |
/private/var/mobile/Library/UserNotifications/ retains notification texts. |
|
Photos metadata (EXIF + sidecar caches) |
✅ |
✅ |
Device view includes deleted thumbnails, edits, Live Photo motion fragments. |
|
Spotlight Index & Search History |
❌ |
✅ |
/private/var/db/Spotlight-V100/ and /CoreSpotlight/ show file names, searches, and deleted references. |
|
Mail Database (actual mail content) |
❌ |
✅ |
/var/mobile/Library/Mail/ includes full email messages, attachments, and deleted cache fragments. |
|
Wallet & Apple Pay Tokens |
✅ (partial) |
✅ (raw secure element metadata if accessible via entitlements) |
Rarely accessible without SEP exploit. |
|
System daemons & diagnostic data (/private/var/db) |
❌ |
✅ |
Reveals power logs, thermal events, process launch histories. |
|
Deleted Data Recovery Potential |
❌ |
✅ |
Full FS gives access to unallocated space, Journal files, WALs — potential recovery of deleted content. |