Communication Artifacts - macOS Forensic Artifacts

Apple's built-in communication applications store messages, emails, call records, and contact information in SQLite databases and structured file formats. These artifacts provide critical evidence of user communications, social connections, and timeline data.

Third-party messaging applications including Signal Desktop, Telegram Desktop, WhatsApp Desktop, and Facebook Messenger Desktop also leave forensic artifacts on macOS. Signal stores an encrypted SQLite database with a recoverable key; Telegram uses a custom encrypted binary format (TDF$) with an unencrypted media cache; WhatsApp stores its complete chat database as plaintext SQLite in a Group Container accessible without Full Disk Access. Facebook Messenger Desktop was discontinued in December 2025 but residual data — including cached messages, payment records, and search activity in the Lightspeed/MSYS database — persists on machines where the app was installed between 2020 and 2025.