Contacts Database (AddressBook.sqlitedb)

Location

Description

SQLite database containing all contacts stored on the device, including names, phone numbers, email addresses, physical addresses, organizations, and associated social media accounts. The database uses a multi-table structure with ABPerson for contact records and ABMultiValue for associated phone numbers, emails, and other multi-value properties.

Forensic Value

The address book establishes the social network of the device owner, identifying known associates and organizational relationships. Creation and modification dates on contact records reveal when new contacts were added, which can correlate with the start of suspicious communications. Contact nicknames, notes fields, and custom labels may contain investigatively relevant context about relationships. Comparing the address book against call history and message databases identifies communications with contacts not in the address book, which may indicate burner phone usage or unknown threat actors.

Tools Required

Collection Commands

idevicebackup2 backup --full /forensics/ios_backup/

python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/

python3 meat.py -i -o /forensics/output/ -t backup

Collection Constraints

• •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References