Mac OS X 10.6 Address Book Forensics Part 1

Address Book is the default address for Mac OS X. It integrates and synchronises with the operating system, applications and IOS devices. On MAC OS X, Address book integrate with iChat, Mail, iCal, iTunes, MobileMe and contacts are indexed in Spotlight. For full list of features, you can refer to Wikipedia – Address Book.

 

I have conducted my testing on a Mac running OS X 10.6.7, Address Book version 5.0.3 (883). This is a simple sharing from me and serve as my personal reference to me. Please conduct your own test to verify. Do let me know if your test result is different from me so we can build a stronger and better community. You can refer to my ‘About Me’ page for disclaimer and about me.

 

~/Library/Preferences/AddressBookMe.plist : This file contain registration information of the Mac Machine when the machine is first boot up for registration. This file may not exist on the system when the user skipped the registration process.

~/Library/Preferences/com.apple.AddressBook.plist : preference file for user’ settings

~/Library/Preferences/com.apple.AddressBook.abd.plist : not sure what this file suppose to do

~/Library/Preferences/ByHost/com.apple.AddressBook.sync.[psuedo-random number] : In my testing, this file contained the timestamp that AddressBook was used. I assume that the timestamp may be used to indicate the AddressBook is last updated or used.

Address Book entries are stored in SQLite database in ~/Library/Application Support/AddressBook/AddressBook-v22.abcddb.

~/Library/Application Support/AddressBook/Metadata/ : Each contact is kept in stored in distinct file and assigned a unique ID.This unique ID can be reference to AddressBook-v22.abcddb database file.

 

The corresponding image is kept in ~/Library/Application Support/AddressBook/Images/. On my machine, I created 1 group and 2 contacts.

~~~~~ ~~~~~

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s