Jailbreak versus Encrypted iTunes backup
This table illustrates the additional data that can be extracted from a jailbroken iOS device compared to an encrypted iTunes backup.
Category / Artefact | Encrypted iTunes Backup | Jailbroken Device Extraction (Full File System) | Forensic Significance |
System Logs (/var/log, crash logs) | ❌ | ✅ | Reveals app crashes, reboot events, timestamps, sometimes GPS fragments. |
App Sandboxes (complete) | 🔸 Partial (user data only) | ✅ | Access to caches, tmp files, internal config and deleted artefacts from third-party apps. |
Keychain (incl. system, Wi-Fi, VPN creds) | ✅ (limited export subset) | ✅ (complete keychain database) | Root keychain includes tokens, certificates, and secure app credentials not included in backups. |
Health & Fitness Data | ✅ | ✅ | Same data, but on device includes raw samples, deleted entries, and metadata from com.apple.health.db. |
Safari Data | ✅ (History, bookmarks, autofill) | ✅ (Full caches, downloads, session states, favicons, cookies) | Deleted browsing data recoverable. |
Messages (SMS/iMessage) | ✅ | ✅ | Same core DB, but device holds attachments, sync logs, and deleted threads not exported. |
Third-party App Databases | ✅ (user-accessible areas) | ✅ (entire /var/mobile/Containers/Data/Application/) | Provides tokens, hidden logs, deleted messages (e.g., WhatsApp, Telegram, Signal). |
Push Notification Logs | ❌ | ✅ | /private/var/mobile/Library/PushStore/ contains notification content and timestamps. |
Location & GPS History | ✅ (limited, e.g. Maps history) | ✅ (consolidated.db, cache.db, visit_history.db) | Provides raw location events, Wi-Fi geolocation, and background tracking. |
KnowledgeC Database (user behaviour analytics) | ❌ | ✅ | Tracks app usage, screen on/off, keyboard activity — crucial for timelines. |
Screentime / Usage Stats (KnowledgeC subset) | ✅ (limited) | ✅ | Detailed session timestamps, including background app use. |
Wi-Fi & Bluetooth Pairings | ✅ (limited) | ✅ (full /Library/Preferences & /SystemConfiguration) | Includes timestamps, device addresses, and deleted networks. |
System & Daemon Configuration Files | ❌ | ✅ | Shows installed profiles, VPN, APNs, system logs — evidence of tampering or MDM control. |
Caches, tmp, plist remnants | ❌ | ✅ | Valuable for reconstruction of deleted artefacts. |
App binary & bundle inspection | ❌ | ✅ | Allows reverse engineering of app version behaviour (e.g. verifying version with CVE). |
Notification Centre contents | ❌ | ✅ | /private/var/mobile/Library/UserNotifications/ retains notification texts. |
Photos metadata (EXIF + sidecar caches) | ✅ | ✅ | Device view includes deleted thumbnails, edits, Live Photo motion fragments. |
Spotlight Index & Search History | ❌ | ✅ | /private/var/db/Spotlight-V100/ and /CoreSpotlight/ show file names, searches, and deleted references. |
Mail Database (actual mail content) | ❌ | ✅ | /var/mobile/Library/Mail/ includes full email messages, attachments, and deleted cache fragments. |
Wallet & Apple Pay Tokens | ✅ (partial) | ✅ (raw secure element metadata if accessible via entitlements) | Rarely accessible without SEP exploit. |
System daemons & diagnostic data (/private/var/db) | ❌ | ✅ | Reveals power logs, thermal events, process launch histories. |
Deleted Data Recovery Potential | ❌ | ✅ | Full FS gives access to unallocated space, Journal files, WALs — potential recovery of deleted content. |