Calendar Events Database (Calendar.sqlitedb)

Location

Description

SQLite database containing all calendar events, reminders, and associated metadata. Each event record includes the title, start and end times, location, attendees, recurrence rules, alert settings, and the calendar account source (local, iCloud, Exchange, Google). The CalendarItem table stores event details while related tables track attendees and alarms.

Forensic Value

Calendar events establish planned activities, meetings, and appointments that corroborate or contradict accounts of the user schedule and whereabouts. Meeting attendee lists identify associates and organizational relationships. Location fields on events may reveal planned destinations. Recurring events establish behavioral patterns. Calendar data synced from Exchange or Google Workspace accounts may contain corporate meeting details relevant to insider threat investigations. Deleted events may persist in the database and can be recovered to reveal appointments the user attempted to hide.

Tools Required

Collection Commands

idevicebackup2 backup --full /forensics/ios_backup/

python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/

python3 meat.py -i -o /forensics/output/ -t backup

Collection Constraints

• •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References