15/3/23, 11:29 Analysis of AddressBook and Call History data - Infosecaddicts

BLOG / DEFENSIVE SECURITY / MOBILE APP SECURITY

Analysis of AddressBook and Call

History data
hsamanoudy  October 1, 2017  0 Comment

Analysis of AddressBook and

Call History data

Analysis of artifacts on iOS devices

https://infosecaddicts.com/analysis-addressbook-call-history-data/ 1/6
15/3/23, 11:29 Analysis of AddressBook and Call History data - Infosecaddicts

Throughout the following paragraphs, I will be going through a discussion about the objects on an iOS
device and their interpretation. That is regardless whether it was the user’s interaction that generated them
or the device itself along with its features. However, most of the extracted artifacts will be of one of two
main formats. These are either the .plist files used for the sake of configuration files or of SQL database file
formats.

Let’s discuss the way in which data is stored on an iOS device in the very first place. The location where
most of the data reside inside the iOS device is located inside /private/var/mobile or /User/ which is the
symlink pointing to the same directory referred to before. To elaborate, /private/var/mobile/Application –
/User/Application points to this actual path.

/User/Applications/######-####-####-####-########### – #: this actually gets

the UUID for the device represented.
<Application_Home>/AppName.app: inside this file, any bundle of the application on the iOS device
get included. It is worth noting that such file does not get backed up.
<Application_Home>/Documents/: inside this folder, any data files which are to relate to applications
on the iOS device get included there.
<Application_Home>/Library/: if any files are particular or specific for an application, they exist there
inside this folder.
<Application_Home>/Library/Preferences/: any preference files that are there for applications, they
will be all contained in this directory folder.
<Application_Home>/Library/Caches/ inside this folder, there exist any support files that are required
specifically for a certain application. Such directory folder does not get backed up as well.
<Application_Home>/tmp/ any temporary files are contained there inside such folder.

AddressBook inside /private/var/mobile/Library/AddressBook

Investigating through the address book of an iOS device is a significant step. That is more so for an
examiner when doing the investigation process. The importance of it could be simply summarized. That is in 

https://infosecaddicts.com/analysis-addressbook-call-history-data/ 2/6
15/3/23, 11:29 Analysis of AddressBook and Call History data - Infosecaddicts

the fact that all personal contacts of a user will be clear and ready for investigation once the acquisition of
his or her addressbook is undertaken successfully.

Several tables are residing inside the SQLite database file of addressbook named Addressbook.sqlitedb. In
fact, there are two tables which are interesting for the sake of the investigation process essentially.

First of all, there is the table called ABPerson. It contains new files such as first name, last name,
organization, notes, birthday, job title, nickname, prefix and more. There is a name for the index of
this cool table. Such name is in fact ROWID.

Secondly, there is another cool table called ABMultiValue residing inside the addressbook database. Inside
this new table, essential data about the stored contacts such as the used emails and phone numbers
permanently stored inside an element of the table called “value.” That shall be linked to the user’s data and
names found inside the other table of ABPerson. The index of the ABMultiValue table is called record_id.

From these points, I have to mention accordingly that there is a relationship between the ABPerson table
and ABMultiValue table on one side, and all other tables inside the database on another team. In fact, such
a relationship is of type one to many. That is where several tables are linked to ABPerson table and
ABMultiValue table through the ROWID and record_id respectively.

Call history inside /private/var/Library/CallHistory

A database file with the name of call_history.db is actually of great importance. It is particularly so when it
comes to an examiner performing a forensic investigation on an iOS device of any kind. This database file
will help an examiner get to understand and know the conducted cellular calls and have this data stored
inside it.

There are in fact four main tables, and they are all of interest to an examiner. One of such tables is
called the “call” table. Inside such table, there will be some exciting data such as the phone

number, date, duration and reference ID of the contact.

https://infosecaddicts.com/analysis-addressbook-call-history-data/ 3/6
15/3/23, 11:29 Analysis of AddressBook and Call History data - Infosecaddicts

It is crystal clear that the field of phone number will be responsible for displaying the phone
numbers inside the call history. On the other hand, the date field comes at the time format of
EPOC. As a result, this time format will need to get converted into an understandable time format.
To elaborate, this form will display the number of seconds since the time of 00:00:00 UTC on 1
January 1970. The duration field is for sure relied on for the sake of getting to know the duration of
time spent on such phone call with a specific phone number.

Another field is called the id field. The importance of such an area is that it has the id used for this number
by the phone. Using this id, and attempting to link it to the id found in the addressbook, this number will be
able to get grasped to belong to which contact name and so. However, sometimes such number is not
listed inside the addressbook. Accordingly, this means that there is no id specified for it by the device. In
this case, the field ID of will display a negative one value to indicate that there is no actual id stored for this
phone number.

Last, there is another field residing inside the call table; it is a fact named as the flags field. What is the
importance of such field then? This area is utilized for the sake of indicating whether the phone call
conducted with a specific phone number was an outbound call or an incoming call. It is worth noting that it
is the case that if the call was a received one, then number four will be used for the sake of getting this data
identified. Number five, on the other hand, will be depended on to annotate that the call was an outbound
one.

Try Certified Ethical Hacker for FREE!!!– https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

http://resources.infosecinstitute.com/ios-forensics/

[ihc-select-level]

 Analysis of artifacts, iOS device, ios forensics

Share this post 


 SQLite Databases and Plist Files

https://infosecaddicts.com/analysis-addressbook-call-history-data/ 4/6
15/3/23, 11:29 Analysis of AddressBook and Call History data - Infosecaddicts

Artifacts of an IOS device 

Leave your thought here

You must be logged in to post a comment.
This site uses Akismet to reduce spam. Learn how your comment data is processed.

Name *


First Last

https://infosecaddicts.com/analysis-addressbook-call-history-data/ 5/6
15/3/23, 11:29 Analysis of AddressBook and Call History data - Infosecaddicts

Email *

Your message

Submit

Contact information:
Please reach out to us on the appropriate channels.

Address: South West Street 107, 22314 Alexandria, United States.

Phone Number: +1(844)9049538

Email: support@infosecaddicts.com

Menu:
Home
About us
Team
Customized Program
Free Challenges
Blog
Contact us
FAQ

https://infosecaddicts.com/analysis-addressbook-call-history-data/ 6/6