Call History Database (CallHistory.storedata)

Location

Description

SQLite database recording all incoming, outgoing, and missed phone calls, FaceTime audio calls, and FaceTime video calls. Each record in the ZCALLRECORD table includes the remote phone number or Apple ID, call duration, call type (incoming/outgoing/missed), timestamp, and the service provider (cellular, FaceTime Audio, FaceTime Video).

Forensic Value

Call history provides a chronological record of all voice and video communications, establishing contact patterns between the device owner and other parties. Duration fields distinguish between answered and unanswered calls, while the face_time_data field identifies video calls that may have been used to share visual information. Deleted call records may persist in SQLite free pages and can be recovered with forensic carving. Correlating call timestamps with location data places the device owner at specific locations during conversations.

Tools Required

Collection Commands

idevicebackup2 backup --full /forensics/ios_backup/

python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/

python3 meat.py -i -o /forensics/output/ -t backup

Collection Constraints

• •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References