Contact Interaction Tracking (interactionC.db)

Location

Description

CoreDuet SQLite database that tracks user interactions with contacts across multiple communication channels including Messages, Phone, FaceTime, Mail, and third-party apps. Records interaction type, contact identifier, bundle ID of the app used, timestamp, and interaction direction (incoming/outgoing).

Forensic Value

The interactionC database provides a unified view of all contact interactions across every communication app on the device, capturing patterns that individual app databases may not reveal in isolation. It records interactions with contacts through third-party messaging apps that may not maintain their own accessible message stores. The direction and frequency data enables communication pattern analysis to identify primary contacts and unusual interaction spikes. This artifact persists historical interaction data even after messages or call records are deleted from their respective applications.

Tools Required

Collection Commands

idevicebackup2 backup --full /forensics/ios_backup/

python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/

idevicecrashreport -e /forensics/crash_reports/

Collection Constraints

• •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References