App Group Container Metadata
Location
private/var/mobile/Containers/Shared/AppGroup/<UUID>/ and related metadata plists within application container manifestsCommon Names
Description
Shared app group containers and metadata that allow related applications and extensions from the same developer to exchange files, databases, and state outside an individual app sandbox.
Forensic Value
App group metadata helps investigators map which applications or extensions shared data, which is critical when a target app offloads content into a shared container that would be missed by looking only at the primary bundle sandbox. This is especially valuable for messaging extensions, VPN or mail plug-ins, widget data stores, and apps that maintain shared caches across the main app and supporting extensions. The container mapping also makes it easier to attribute otherwise ambiguous files to the correct app family during analysis.
Tools Required
Collection Commands
Cellebrite UFED
Perform a full filesystem extraction and inspect shared AppGroup containers and metadata manifests.
iLEAPP
python3 ileapp.py -t tar -i /path/to/ios_extraction -o /forensics/output/
libimobiledevice
idevicebackup2 backup --full /forensics/ios_backup/
Collection Constraints
- •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
- •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.
- •Shared containers are visible only when the app family actually uses an App Groups entitlement. Full attribution often requires a full filesystem extraction rather than a standard iTunes/Finder backup.