Information Technology Reference
In-Depth Information
Important database files
Raw disk images, file system dumps the backup that you extracted as per the instructions in
Backups
, will contain the following SQLite databases that may be important to your invest-
igation. The files shown in the following sections are extracted from an iOS 6 device. As
Apple adds new features to the built-in applications with every iOS release, the format of
the files may vary for different iOS versions. So, you may need to modify the queries listed
slightly to work on your iOS version. More information regarding important database files
Address book contacts
The address book contains a wealth of information about the owner's personal contacts.
With the exception of third-party applications, the address book contains contact entries for
all of the contacts stored on the device. The address book database is a
HomeDomain
file
and can be found at
private/var/mobile/Library/AddressBook/Ad-
dressBook.sqlitedb
.
AddressBook.sqlitedb
contains several tables, of which three are of particular in-
terest:
•
ABPerson
: This contains the name, organization, notes, and more for each con-
tact.
•
ABMultiValue
: This contains phone numbers, e-mail addresses, website URLs,
and more for the entries in the
ABPerson
table. The
ABMultiValue
table uses
a
record_id
file to associate the contact information with a
rowid
from the
ABPerson
table.
•
ABMultiValueLabel
: This table contains labels to identify the kind of inform-
ation stored in the
ABMultiValue
table.
Some of the data stored within the
AddressBook.sqlitedb
file could be from third-
party applications. The examiner should manually examine the application file folders to
ensure that all the contacts are accounted for and examined.
You can run the following commands to dump the address book into a CSV file named
AddressBook.csv
:
