I've been working on a new set of applications but before I begin those, I wanted to take a detour around an application that we've all probably come across from time to time, but had often confused me on where and how it stored its data. This application is the "Files" app that Apple added in iOS 11. With iOS 13 (and iPadOS 13) there were several additional features including the downloads directory. Files has also added abilities to generate iCloud share links and collaborate on files on apps such as Pages, Numbers, or Keynote. In addition, third-party applications can also tie into the Files app for the quick access, sharing, and storage of Files on your iOS device. For more information about Apple's Files app, see this link here.
In order to find the data for this app I decided to use some of my favorite tricks on an iPad I recently set up and jailbroke as per my recent research device post. The easiest place to find where the Files application SHOULD be storing data is to use one of two tricks:
- In a forensic image, consult the applicationstate.db file to find the bundleID com.apple.DocumentsApp
- In a live running (jailbroken device) use the CDA command line tool to search for the path. For more information on CDA, get it on GitHub here.
However, you may notice that some of the above files are... missing. So where are they? Well, I'll get to that in a minute. First, let's talk about that sneaky fp_folder_item table. What is that I spy in the BLOB data? It's a binary plist, because, OF COURSE IT IS. Upon opening this, it's actually an NSKeyedArchiver style (ew) one that can give us quite a bit of information about the info of the file.