Installed App State (applicationState.db)

iosSystem ConfigurationDevice Extraction

Location

HomeDomain/Library/FrontBoard/applicationState.db

Description

SQLite database maintained by SpringBoard recording the state of all installed applications on the device. Contains application bundle identifiers, display names, installation status, badge counts, snapshot timestamps, and compatibility information. The application_identifier_tab table maps numeric keys to bundle IDs used across other system databases.

Forensic Value

The applicationState database provides a definitive list of all applications installed on the device at the time of extraction, including their bundle identifiers needed to correlate activity across other forensic artifacts. Identifying installed applications reveals the user communication channels (Signal, Telegram, WhatsApp), cloud storage services (Dropbox, Google Drive), VPN applications, and any potentially malicious or surveillance applications. Applications with active badge counts indicate pending notifications or unread content. This database is essential for scoping which application-specific databases should be examined in the forensic analysis.

Tools Required

iLEAPPCellebrite UFEDMagnet AXIOMDB Browser for SQLite

Acquisition Methods

checkm8 Physical Extraction (A5–A11)

ios — physical

iTunes/Finder Backup Acquisition

ios — logical

AFC (Apple File Conduit) Extraction

ios — logical

checkm8 Filesystem Extraction

ios — logical

iCloud Backup Acquisition

ios — cloud