When analyzing an application, you need to look at all its activities and interactions with the system by analyzing all the traces and artifacts left on the system while it was running and after it has run and to/from the system. This means being able to understand how and with whom the application communicates by sending and receiving data. Therefore, you need to look at the three states where data can exist. The following are the three states where data can exist:
With data at rest, we refer to all the data recorded on storage media; in our case, on the mobile device's internal memory. These are the
plist files, the
sqlite databases, logs, and any other information we can retrieve directly from the media itself. ...