Installed App State (applicationState.db)

Location

Description

SQLite database maintained by SpringBoard recording the state of all installed applications on the device. Contains application bundle identifiers, display names, installation status, badge counts, snapshot timestamps, and compatibility information. The application_identifier_tab table maps numeric keys to bundle IDs used across other system databases.

Forensic Value

The applicationState database provides a definitive list of all applications installed on the device at the time of extraction, including their bundle identifiers needed to correlate activity across other forensic artifacts. Identifying installed applications reveals the user communication channels (Signal, Telegram, WhatsApp), cloud storage services (Dropbox, Google Drive), VPN applications, and any potentially malicious or surveillance applications. Applications with active badge counts indicate pending notifications or unread content. This database is essential for scoping which application-specific databases should be examined in the forensic analysis.

Tools Required

Collection Commands

idevicebackup2 backup --full /forensics/ios_backup/

python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/

ideviceinstaller -u <UDID> -l -o list > installed_apps.txt

Collection Constraints

• •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References