Posted on

Mac OS X 10.8 AddressBook Forensic

AddressBook artifacts can be found at:

  • ~/Library/Application Support/Configuration.plist
  • ~/Library/Application Support/AddressBook-v22.abcddb
  • ~/Library/Application Support/Metadata/
  • ~/Library/Application Support/Images/
  • ~/Library/Preferences/com.apple.AddressBook.plist

AddressBook database

Contact persons, numbers, and  other person contacts can be found in the AddressBook SQLite database, ~/Library/Application Support/AddressBook/AddressBook-v22.abcddb. The tables of-interest, in the database are as follows:

  • ZABCDRECORD
    • Z_PK: Primary key for Person’s record
    • ZCREATIONDATE: creation timestamp (Mac CFAbsolute time)
    • ZMODICIATIONDATE: modification timestamp (Mac CFAbsolute time)
    • ZSORTINGFIRSTNAME: name in order of first name
    • ZSORTINGLASTNAME: name in order of last name
    • ZUNIQUEID: Assigned UID
  • ZABCDPHONENUMBER
    • Z_PK: Primary key for phone number’s record
    • ZOWNER: Person’s ID (ref to ZABCDRECORD.Z_PK)
    • ZFULLNUMBER: phone number
    • ZLABEL: description label for phone number
  • ZABCDEMAILADDRESS
    • Z_PK: Primary key for email address
    • ZOWNER: Person’s ID (ref to ZABCDRECORD.Z_PK)
    • ZADDRESS: email address
    • ZLABEL: description label for email address
  • ZABCDURLADDRESS
    • Z_PK: Primary key for URL address
    • ZOWNER: Person’s ID (ref to ZABCDRECORD.Z_PK)
    • ZLABEL: description label for URL address
    • ZURL: URL address
  • ZABCDMESSAGINGADDRESS
    • Z_PK: Primary key for messaging ID
    • ZOWNER: Person’s ID (ref to ZABCDRECORD.Z_PK)
    • ZADDRESS: Messaging ID
    • ZLABEL: description label for messagaing ID
  • ZABCDEMAILADDRESS
    • Z_PK: Primary key for email address
    • ZOWNER: Person’s ID (ref to ZABCDRECORD.Z_PK)
    • ZADDRESS: Email address
    • ZLABEL: description label for email address
  • ZABCDPOSTALADDRESS
    • Z_PK: Primary key for address
    • ZOWNER: Person’s ID (ref to ZABCDRECORD.Z_PK)
    • ZLABEL: description label for address
    • ZCOUNTRY: country
    • ZSTATE: state
    • ZCITY: city
    • ZSTREET: street
    • ZZIPCODE: zip code
  • ZABCDNOTE
    • Z_PK: Primary key for note
    • ZCONTACT: Person’s ID (ref to ZABCDRECORD.Z_PK)
    • ZTEXT: text note

A simpler way to extract address book is to extract ~/Library/Application Support/AddressBook/Metadata and ~/Library/Application Support/AddressBook/Images. Metadata contain contact information and Images contain the corresponding images of the contacts. Each metadata and image is identified by the assigned Unique ID, this Unique ID can also be derived from ZABCDRECORD.ZUNIQUEID of the AddressBook database.

Advertisement
Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s