Call History Database (CallHistory.storedata)

iosCommunicationDevice ExtractionCloud Admin Portal

Location

HomeDomain/Library/CallHistoryDB/CallHistory.storedata

Description

SQLite database recording all incoming, outgoing, and missed phone calls, FaceTime audio calls, and FaceTime video calls. Each record in the ZCALLRECORD table includes the remote phone number or Apple ID, call duration, call type (incoming/outgoing/missed), timestamp, and the service provider (cellular, FaceTime Audio, FaceTime Video).

Forensic Value

Call history provides a chronological record of all voice and video communications, establishing contact patterns between the device owner and other parties. Duration fields distinguish between answered and unanswered calls, while the face_time_data field identifies video calls that may have been used to share visual information. Deleted call records may persist in SQLite free pages and can be recovered with forensic carving. Correlating call timestamps with location data places the device owner at specific locations during conversations.

Tools Required

Cellebrite UFEDiLEAPPMagnet AXIOMBelkasoftDB Browser for SQLite

Acquisition Methods

checkm8 Physical Extraction (A5–A11)

ios — physical

iTunes/Finder Backup Acquisition

ios — logical

AFC (Apple File Conduit) Extraction

ios — logical

checkm8 Filesystem Extraction

ios — logical

iCloud Backup Acquisition

ios — cloud