iMessage

Overview

Evidence: iMessage
Description: Collect iMessages
Category: System
Platform: macos
Short Name: imsg
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes

Background

iMessage chat database stores messages, attachments, and metadata per user. This data is essential for communications analysis and timeline reconstruction.

Data Collected

This collector gathers structured data about imessage.

iMessage Data

Field	Description	Example
`User`	User	Example value
`MessageID`	Message ID	123
`Conversation`	Conversation	123
`Text`	Text	Example value
`Contact`	Contact	Example value
`Direction`	Direction	Example value
`Account`	Account	Example value
`Date`	Date	2023-10-15 14:30:25+03:00
`DateRead`	Date Read	2023-10-15 14:30:25+03:00
`DateDelivered`	Date Delivered	2023-10-15 14:30:25+03:00
`IsFromMe`	Is From Me	123
`IsRead`	Is Read	123
`DestinationCallerID`	Destination Caller ID	Example value
`AttachmentPath`	Attachment Path	Example value
`AttachmentName`	Attachment Name	Example value
`AttachmentSize`	Attachment Size	123

Collection Method

This collector copies user chat.db files and queries messages, attachments, and related tables, recording into imessage.

Forensic Value

This evidence is crucial for forensic investigations as it reveals communications content, participants, and attachment artifacts.