Contacts Database (AddressBook.sqlitedb)

iosCommunicationDevice ExtractionCloud Admin Portal

Location

HomeDomain/Library/AddressBook/AddressBook.sqlitedb

Description

SQLite database containing all contacts stored on the device, including names, phone numbers, email addresses, physical addresses, organizations, and associated social media accounts. The database uses a multi-table structure with ABPerson for contact records and ABMultiValue for associated phone numbers, emails, and other multi-value properties.

Forensic Value

The address book establishes the social network of the device owner, identifying known associates and organizational relationships. Creation and modification dates on contact records reveal when new contacts were added, which can correlate with the start of suspicious communications. Contact nicknames, notes fields, and custom labels may contain investigatively relevant context about relationships. Comparing the address book against call history and message databases identifies communications with contacts not in the address book, which may indicate burner phone usage or unknown threat actors.

Tools Required

Cellebrite UFEDiLEAPPMagnet AXIOMBelkasoftDB Browser for SQLite

Acquisition Methods

checkm8 Physical Extraction (A5–A11)

ios — physical

iTunes/Finder Backup Acquisition

ios — logical

AFC (Apple File Conduit) Extraction

ios — logical

checkm8 Filesystem Extraction

ios — logical

iCloud Backup Acquisition

ios — cloud