Disk layout

By default, the filesystem is configured as two logical disk partitions: the system (root or firmware) partition and the user data partition.

The system partition contains the OS and all of the preloaded applications used with the iPhone. The system partition is mounted as read-only unless an OS upgrade is in progress or the device is jailbroken. The partition is updated only when a firmware upgrade is performed on the device. During this process, the entire partition is formatted by iTunes without affecting any of the user data. The system partition takes only a small portion of storage space, normally between 0.8 GB and 4 GB, depending on the size of the NAND drive. As the system partition was designed to remain in a factory state for the entire lifetime of the iPhone, there is typically little useful evidentiary information that can be obtained from it. If the iOS device is jailbroken, the files containing information regarding the jailbreak and user data may be resident on the system partition. Jailbreaking an iOS device allows the user root access to the device, but voids the manufacturer warranty. Jailbreaking will be discussed later in this chapter.

The user data partition contains all the user-created data, ranging from music and contacts to third-party application data. The user data partition occupies most of the NAND memory and is mounted to the /private/var directory on the device. Most of the evidentiary information can be found in this partition. During a filesystem acquisition, the user data partition contents should be captured and saved as a .tar file. Acquired data can be easily extracted and parsed by most commercial mobile forensic tools.