Professional Documents
Culture Documents
Analysis of AddressBook and Call History Data - Infosecaddicts
Analysis of AddressBook and Call History Data - Infosecaddicts
https://infosecaddicts.com/analysis-addressbook-call-history-data/ 1/6
15/3/23, 11:29 Analysis of AddressBook and Call History data - Infosecaddicts
Throughout the following paragraphs, I will be going through a discussion about the objects on an iOS
device and their interpretation. That is regardless whether it was the user’s interaction that generated them
or the device itself along with its features. However, most of the extracted artifacts will be of one of two
main formats. These are either the .plist files used for the sake of configuration files or of SQL database file
formats.
Let’s discuss the way in which data is stored on an iOS device in the very first place. The location where
most of the data reside inside the iOS device is located inside /private/var/mobile or /User/ which is the
symlink pointing to the same directory referred to before. To elaborate, /private/var/mobile/Application –
/User/Application points to this actual path.
Investigating through the address book of an iOS device is a significant step. That is more so for an
examiner when doing the investigation process. The importance of it could be simply summarized. That is in
https://infosecaddicts.com/analysis-addressbook-call-history-data/ 2/6
15/3/23, 11:29 Analysis of AddressBook and Call History data - Infosecaddicts
the fact that all personal contacts of a user will be clear and ready for investigation once the acquisition of
his or her addressbook is undertaken successfully.
Several tables are residing inside the SQLite database file of addressbook named Addressbook.sqlitedb. In
fact, there are two tables which are interesting for the sake of the investigation process essentially.
First of all, there is the table called ABPerson. It contains new files such as first name, last name,
organization, notes, birthday, job title, nickname, prefix and more. There is a name for the index of
this cool table. Such name is in fact ROWID.
Secondly, there is another cool table called ABMultiValue residing inside the addressbook database. Inside
this new table, essential data about the stored contacts such as the used emails and phone numbers
permanently stored inside an element of the table called “value.” That shall be linked to the user’s data and
names found inside the other table of ABPerson. The index of the ABMultiValue table is called record_id.
From these points, I have to mention accordingly that there is a relationship between the ABPerson table
and ABMultiValue table on one side, and all other tables inside the database on another team. In fact, such
a relationship is of type one to many. That is where several tables are linked to ABPerson table and
ABMultiValue table through the ROWID and record_id respectively.
A database file with the name of call_history.db is actually of great importance. It is particularly so when it
comes to an examiner performing a forensic investigation on an iOS device of any kind. This database file
will help an examiner get to understand and know the conducted cellular calls and have this data stored
inside it.
There are in fact four main tables, and they are all of interest to an examiner. One of such tables is
called the “call” table. Inside such table, there will be some exciting data such as the phone
number, date, duration and reference ID of the contact.
https://infosecaddicts.com/analysis-addressbook-call-history-data/ 3/6
15/3/23, 11:29 Analysis of AddressBook and Call History data - Infosecaddicts
It is crystal clear that the field of phone number will be responsible for displaying the phone
numbers inside the call history. On the other hand, the date field comes at the time format of
EPOC. As a result, this time format will need to get converted into an understandable time format.
To elaborate, this form will display the number of seconds since the time of 00:00:00 UTC on 1
January 1970. The duration field is for sure relied on for the sake of getting to know the duration of
time spent on such phone call with a specific phone number.
Another field is called the id field. The importance of such an area is that it has the id used for this number
by the phone. Using this id, and attempting to link it to the id found in the addressbook, this number will be
able to get grasped to belong to which contact name and so. However, sometimes such number is not
listed inside the addressbook. Accordingly, this means that there is no id specified for it by the device. In
this case, the field ID of will display a negative one value to indicate that there is no actual id stored for this
phone number.
Last, there is another field residing inside the call table; it is a fact named as the flags field. What is the
importance of such field then? This area is utilized for the sake of indicating whether the phone call
conducted with a specific phone number was an outbound call or an incoming call. It is worth noting that it
is the case that if the call was a received one, then number four will be used for the sake of getting this data
identified. Number five, on the other hand, will be depended on to annotate that the call was an outbound
one.
References
http://resources.infosecinstitute.com/ios-forensics/
[ihc-select-level]
SQLite Databases and Plist Files
https://infosecaddicts.com/analysis-addressbook-call-history-data/ 4/6
15/3/23, 11:29 Analysis of AddressBook and Call History data - Infosecaddicts
Name *
First Last
https://infosecaddicts.com/analysis-addressbook-call-history-data/ 5/6
15/3/23, 11:29 Analysis of AddressBook and Call History data - Infosecaddicts
Email *
Your message
Submit
Contact information:
Please reach out to us on the appropriate channels.
Email: support@infosecaddicts.com
Menu:
Home
About us
Team
Customized Program
Free Challenges
Blog
Contact us
FAQ
https://infosecaddicts.com/analysis-addressbook-call-history-data/ 6/6