Mail Message Store & Metadata
Location
HomeDomain/Library/Mail/ and protected Mail stores exposed in full filesystem extractionsCommon Names
Description
Mail app metadata, cached messages, mailbox indexes, and attachment state held in the iOS Mail domain. Depending on the extraction type and account configuration, this can include message headers, mailbox hierarchies, attachment references, and local cache state for synchronized accounts.
Forensic Value
Mail stores are high-value in phishing, BEC, insider threat, and extortion cases because they can confirm that a message was present on the device even when server-side access is limited or disputed. Local metadata helps identify configured accounts, which mailbox a suspicious message landed in, whether it was viewed, and which attachments were cached on-device. In some cases, the mobile cache preserves partial message content or attachment metadata after server-side changes have already occurred.
Tools Required
Collection Commands
Cellebrite UFED
Perform a full filesystem or advanced logical extraction and review the Mail domain output.
iLEAPP
python3 ileapp.py -t tar -i /path/to/ios_extraction -o /forensics/output/
libimobiledevice
idevicebackup2 backup --full /forensics/ios_backup/
Collection Constraints
- •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
- •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.
- •Mail content availability varies by account type, sync policy, backup class, and whether the extraction included protected app data. A standard backup may not contain the same depth as a full filesystem extraction.