Disk layout

By default, the filesystem is configured as two logical disk partitions: system (root or firmware) partition and user data partition.

The system partition contains the OS and all of the preloaded applications used with the iPhone. The system partition is mounted as read-only unless an OS upgrade is in progress or the device is jailbroken. The partition is updated only when a firmware upgrade is performed on the device. During this process, the entire partition is formatted by iTunes without affecting any of the user data. The system partition takes only a small portion of storage space, normally between 0.9 GB and 2.7 GB, depending on the size of the NAND drive. As the system partition was designed to remain in factory state for the entire life of the iPhone, there is typically little useful evidentiary information that can be obtained from it. If the iOS device is jailbroken, files containing information regarding the jailbreak and user data may be resident on the system partition. Jailbreaking an iOS device allows the user root access to the device, but voids the manufacturer warranty. Jailbreaking will be discussed later in this chapter.

The user data partition contains all user-created data, ranging from music and contacts to third-party application data. The user data partition occupies most of the NAND memory and is mounted at /private/var on the device. Most of the evidentiary information can be found in this partition. During a physical acquisition, both the user data and system partitions should be captured and saved as a .dmg or .img file. Most Windows tools and acquisition methods will create an .img file, while macOS X tools and acquisition methods will create a .dmg file. Both of the output image files are supported by most commercial forensic analysis tools.

These raw image files can be mounted as read-only for forensic analysis, which is covered in detail in Chapter 3, Data Acquisition from iOS Devices and Chapter 5, iOS Data Analysis and Recovery.