DEV Community: Charles West The latest articles on DEV Community by Charles West (@charles_west_99af57fcbac3). https://dev.to/charles_west_99af57fcbac3 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3854493%2F7a2c762f-e319-48f5-899b-131a5c35ec60.jpg DEV Community: Charles West https://dev.to/charles_west_99af57fcbac3 en The Evidence Is in the Phone. Most of It Never Makes It Into the Case. Charles West Wed, 01 Apr 2026 03:08:48 +0000 https://dev.to/charles_west_99af57fcbac3/the-evidence-is-in-the-phone-most-of-it-never-makes-it-into-the-case-mle https://dev.to/charles_west_99af57fcbac3/the-evidence-is-in-the-phone-most-of-it-never-makes-it-into-the-case-mle <p>In every custody dispute, every contested divorce, every harassment claim — the phone is the richest source of evidence available. Both sides know it. Attorneys request text message exports. PIs take screenshots. Forensic examiners produce reports.</p> <p>And almost every time, what ends up in the case file is a fraction of what's actually there.</p> <p>I'm a technologist — 25 years in software, QA, systems design — and when I cracked open my own iPhone backup, what I found changed the way I think about phone evidence entirely. This article walks through what's actually inside an iTunes/Finder backup at the file and database level, because most people — including many professionals — have never looked.</p> <h2> The Backup Structure: What Apple Actually Stores </h2> <p>When you back up an iPhone to a computer via iTunes (Windows) or Finder (macOS), Apple creates a folder in a predictable location:</p> <ul> <li> <strong>macOS:</strong> <code>~/Library/Application Support/MobileSync/Backup/</code> </li> <li> <strong>Windows:</strong> <code>%APPDATA%\Apple Computer\MobileSync\Backup\</code> </li> </ul> <p>Inside, you'll find a folder named with the device's UDID. Open it and you'll see thousands of files with 40-character hexadecimal filenames — no extensions, no directory structure. It looks like chaos.</p> <p>It's not. Every one of those filenames is a <strong>SHA-1 hash</strong> of the file's original domain and path on the device.</p> <h2> How the Hashing Works </h2> <p>Apple uses a consistent hashing scheme. Each file on the device has a <em>domain</em> (like <code>HomeDomain</code> or <code>MediaDomain</code>) and a <em>relative path</em> (like <code>Library/SMS/sms.db</code>). The backup filename is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nc">SHA1</span><span class="p">(</span><span class="nx">domain</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">-</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">relativePath</span><span class="p">)</span> </code></pre> </div> <p>For example, the messages database:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>SHA1("HomeDomain-Library/SMS/sms.db") = 3d0d7e5fb2ce288813306e4d4636395e047a3d28 </code></pre> </div> <p>That hash <strong>is</strong> the filename in the backup folder. No extension, no directory hierarchy — just the hash. This means if you know the domain and path of a file on the device, you can calculate exactly which backup file contains it.</p> <h2> Manifest.db: The Rosetta Stone </h2> <p>The most important file in any backup is <code>Manifest.db</code> — a SQLite database that maps every hashed filename back to its original path, domain, and metadata. Its structure looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">Files</span> <span class="p">(</span> <span class="n">fileID</span> <span class="nb">TEXT</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="k">domain</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">relativePath</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">flags</span> <span class="nb">INTEGER</span><span class="p">,</span> <span class="n">file</span> <span class="nb">BLOB</span> <span class="p">);</span> </code></pre> </div> <ul> <li> <code>fileID</code> — the SHA-1 hash (the filename in the backup folder)</li> <li> <code>domain</code> — the app or system domain (<code>HomeDomain</code>, <code>AppDomain-com.app.name</code>, etc.)</li> <li> <code>relativePath</code> — the original file path on the device</li> <li> <code>flags</code> — file type (1 = file, 2 = directory, 4 = symlink)</li> <li> <code>file</code> — a binary plist blob containing file metadata (size, timestamps, permissions)</li> </ul> <p>Query it and you get a complete directory listing of the entire device:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">fileID</span><span class="p">,</span> <span class="k">domain</span><span class="p">,</span> <span class="n">relativePath</span> <span class="k">FROM</span> <span class="n">Files</span> <span class="k">WHERE</span> <span class="n">flags</span> <span class="o">=</span> <span class="mi">1</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="k">domain</span><span class="p">,</span> <span class="n">relativePath</span><span class="p">;</span> </code></pre> </div> <p>This single query reveals every file backed up from the phone — thousands of entries spanning messages, photos, call logs, browser history, app data, and more.</p> <h2> The Key SQLite Databases </h2> <p>Here's where it gets interesting. Several of the backed-up files are SQLite databases themselves, each containing structured, queryable data. The most important ones:</p> <h3> Messages — <code>sms.db</code> </h3> <p><strong>Hash:</strong> <code>3d0d7e5fb2ce288813306e4d4636395e047a3d28</code><br> <strong>Path:</strong> <code>HomeDomain-Library/SMS/sms.db</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Key tables</span> <span class="n">message</span> <span class="c1">-- every SMS and iMessage</span> <span class="n">chat</span> <span class="c1">-- conversation threads</span> <span class="n">chat_message_join</span> <span class="c1">-- links messages to chats</span> <span class="n">handle</span> <span class="c1">-- phone numbers / email addresses</span> <span class="n">attachment</span> <span class="c1">-- photos, videos, files sent in messages</span> <span class="c1">-- Useful query: messages with contact info and timestamps</span> <span class="k">SELECT</span> <span class="n">m</span><span class="p">.</span><span class="n">ROWID</span><span class="p">,</span> <span class="n">m</span><span class="p">.</span><span class="nb">text</span><span class="p">,</span> <span class="n">m</span><span class="p">.</span><span class="nb">date</span><span class="p">,</span> <span class="c1">-- Apple epoch: seconds since 2001-01-01</span> <span class="n">m</span><span class="p">.</span><span class="n">is_from_me</span><span class="p">,</span> <span class="n">m</span><span class="p">.</span><span class="n">date_read</span><span class="p">,</span> <span class="n">m</span><span class="p">.</span><span class="n">date_delivered</span><span class="p">,</span> <span class="n">h</span><span class="p">.</span><span class="n">id</span> <span class="k">AS</span> <span class="n">contact</span> <span class="k">FROM</span> <span class="n">message</span> <span class="n">m</span> <span class="k">LEFT</span> <span class="k">JOIN</span> <span class="n">handle</span> <span class="n">h</span> <span class="k">ON</span> <span class="n">m</span><span class="p">.</span><span class="n">handle_id</span> <span class="o">=</span> <span class="n">h</span><span class="p">.</span><span class="n">ROWID</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">m</span><span class="p">.</span><span class="nb">date</span><span class="p">;</span> </code></pre> </div> <p>Note: Apple timestamps use <strong>Core Data epoch</strong> — seconds (or nanoseconds, depending on iOS version) since <strong>January 1, 2001</strong>, not the Unix epoch. You'll need to convert:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timedelta</span> <span class="n">APPLE_EPOCH</span> <span class="o">=</span> <span class="nf">datetime</span><span class="p">(</span><span class="mi">2001</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="k">def</span> <span class="nf">apple_timestamp_to_datetime</span><span class="p">(</span><span class="n">ts</span><span class="p">):</span> <span class="k">if</span> <span class="n">ts</span> <span class="o">&gt;</span> <span class="mf">1e15</span><span class="p">:</span> <span class="c1"># nanoseconds (iOS 14+) </span> <span class="n">ts</span> <span class="o">=</span> <span class="n">ts</span> <span class="o">/</span> <span class="mf">1e9</span> <span class="k">return</span> <span class="n">APPLE_EPOCH</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">seconds</span><span class="o">=</span><span class="n">ts</span><span class="p">)</span> </code></pre> </div> <h3> Call History — <code>call_history.db</code> </h3> <p><strong>Hash:</strong> <code>2b2b0084a1bc3a5ac8c27afdf14afb42c61a19ca</code><br> <strong>Path:</strong> <code>HomeDomain-Library/CallHistoryDB/CallHistory.storedata</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Key table: ZCALLRECORD</span> <span class="k">SELECT</span> <span class="n">ZADDRESS</span><span class="p">,</span> <span class="c1">-- phone number</span> <span class="n">ZDATE</span><span class="p">,</span> <span class="c1">-- Apple epoch timestamp</span> <span class="n">ZDURATION</span><span class="p">,</span> <span class="c1">-- call duration in seconds</span> <span class="n">ZORIGINATED</span><span class="p">,</span> <span class="c1">-- 1 = outgoing, 0 = incoming</span> <span class="n">ZANSWERED</span><span class="p">,</span> <span class="c1">-- 1 = answered, 0 = missed/declined</span> <span class="n">ZCALLTYPE</span> <span class="c1">-- 1 = voice, 8 = FaceTime video, 16 = FaceTime audio</span> <span class="k">FROM</span> <span class="n">ZCALLRECORD</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">ZDATE</span><span class="p">;</span> </code></pre> </div> <h3> Photos Metadata — <code>Photos.sqlite</code> </h3> <p><strong>Path:</strong> <code>CameraRollDomain-Media/PhotoData/Photos.sqlite</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Key tables: ZASSET, ZADDITIONALASSETATTRIBUTES</span> <span class="k">SELECT</span> <span class="n">a</span><span class="p">.</span><span class="n">ZFILENAME</span><span class="p">,</span> <span class="n">a</span><span class="p">.</span><span class="n">ZDATECREATED</span><span class="p">,</span> <span class="n">a</span><span class="p">.</span><span class="n">ZLATITUDE</span><span class="p">,</span> <span class="n">a</span><span class="p">.</span><span class="n">ZLONGITUDE</span><span class="p">,</span> <span class="n">attr</span><span class="p">.</span><span class="n">ZORIGINALFILESIZE</span><span class="p">,</span> <span class="n">attr</span><span class="p">.</span><span class="n">ZCAMERAMAKE</span><span class="p">,</span> <span class="n">attr</span><span class="p">.</span><span class="n">ZCAMERAMODEL</span> <span class="k">FROM</span> <span class="n">ZASSET</span> <span class="n">a</span> <span class="k">LEFT</span> <span class="k">JOIN</span> <span class="n">ZADDITIONALASSETATTRIBUTES</span> <span class="n">attr</span> <span class="k">ON</span> <span class="n">a</span><span class="p">.</span><span class="n">Z_PK</span> <span class="o">=</span> <span class="n">attr</span><span class="p">.</span><span class="n">ZASSET</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">a</span><span class="p">.</span><span class="n">ZDATECREATED</span><span class="p">;</span> </code></pre> </div> <p>Every photo with GPS coordinates, camera model, exact timestamp — all queryable.</p> <h3> Safari Browser History — <code>History.db</code> </h3> <p><strong>Hash:</strong> <code>e74113c185fd8297e140571f7e3beb3cfceddb58</code><br> <strong>Path:</strong> <code>HomeDomain-Library/Safari/History.db</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">hi</span><span class="p">.</span><span class="n">url</span><span class="p">,</span> <span class="n">hi</span><span class="p">.</span><span class="n">visit_count</span><span class="p">,</span> <span class="n">hv</span><span class="p">.</span><span class="n">visit_time</span><span class="p">,</span> <span class="c1">-- Apple epoch</span> <span class="n">hv</span><span class="p">.</span><span class="n">title</span> <span class="k">FROM</span> <span class="n">history_items</span> <span class="n">hi</span> <span class="k">JOIN</span> <span class="n">history_visits</span> <span class="n">hv</span> <span class="k">ON</span> <span class="n">hi</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">hv</span><span class="p">.</span><span class="n">history_item</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">hv</span><span class="p">.</span><span class="n">visit_time</span><span class="p">;</span> </code></pre> </div> <h3> Other Key Databases </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Data</th> <th>File Path</th> <th>Hash</th> </tr> </thead> <tbody> <tr> <td><strong>Notes</strong></td> <td><code>HomeDomain-Library/Notes/notes.sqlite</code></td> <td>Varies by iOS version</td> </tr> <tr> <td><strong>Contacts</strong></td> <td><code>HomeDomain-Library/AddressBook/AddressBook.sqlitedb</code></td> <td><code>31bb7ba8914766d4ba40d6dfb6113c8b614be442</code></td> </tr> <tr> <td><strong>Voicemail</strong></td> <td><code>HomeDomain-Library/Voicemail/voicemail.db</code></td> <td>Varies</td> </tr> <tr> <td><strong>Wi-Fi locations</strong></td> <td><code>SystemPreferencesDomain-SystemConfiguration/com.apple.wifi.plist</code></td> <td>Varies</td> </tr> <tr> <td><strong>Calendar</strong></td> <td><code>HomeDomain-Library/Calendar/Calendar.sqlitedb</code></td> <td>Varies</td> </tr> </tbody> </table></div> <h2> What Most People Miss </h2> <p>Here's the problem: an attorney requests "text messages between the parties." Someone scrolls through the phone, takes screenshots, maybe exports a PDF through a consumer app.</p> <p>That workflow misses almost everything.</p> <p>It misses the call that happened two minutes before the text — the one that provides context for why the message was sent. It misses the browser search at 1 AM that shows state of mind. It misses the GPS coordinates on a photo that contradict a stated alibi. It misses the voicemail that was listened to but never saved.</p> <p>Most critically, it misses the <strong>pattern</strong> — the escalation visible only when you lay out messages, calls, and locations on a single timeline across weeks or months.</p> <p>Individual screenshots are moments frozen in isolation. The real story lives in the connections between data points across multiple channels.</p> <h2> The Tooling Gap </h2> <p>The professional forensic tools — Cellebrite, Magnet AXIOM, Oxygen — are powerful, but they're built for law enforcement and enterprise labs. They cost thousands per license and require training and certification.</p> <p>Consumer tools let you browse messages and export contacts, but they don't do cross-channel analysis. They don't reconstruct timelines. They don't let you see a call log, text thread, browser history, and location data side by side in chronological order.</p> <p>There's a gap in the middle — and it's exactly where most family law cases, PI investigations, and civil disputes live.</p> <h2> What I Built </h2> <p>I built <a href="https://openextract.app" rel="noopener noreferrer">OpenExtract</a> to fill that gap. It's a free, open-source desktop app that reads a local iPhone backup and extracts everything — messages, calls, photos, contacts, voicemails, notes, browser history, and more — into structured, searchable, exportable formats.</p> <p>It parses <code>Manifest.db</code>, resolves the SHA-1 hashes, opens each SQLite database, converts Apple-epoch timestamps, and produces unified, cross-referenced output. It runs locally — no cloud, no account, no subscription.</p> <p>If you work with phone evidence and you've never opened <code>Manifest.db</code> in a SQLite browser, I'd encourage you to try it. You might be surprised by how much data is sitting right there, already preserved, waiting to be queried.</p> <p><strong>Site:</strong> <a href="https://openextract.app" rel="noopener noreferrer">openextract.app</a><br> <strong>GitHub:</strong> <a href="https://github.com/openextract" rel="noopener noreferrer">github.com/openextract</a></p> <p><em>Charles is a retired technologist and the developer behind OpenExtract. This is the third in a series of articles about phone data, personal records, and the tools we use to make sense of them.</em></p> opensource iphone forensics