Contacts
Contacts (AddressBook)
Overview
The macOS Contacts application (formerly Address Book) stores contact records in one or more SQLite databases using the AddressBook-v22 schema. Each contact record can contain names, phone numbers, email addresses, postal addresses, social profiles, URLs, relationships, notes, and photos. The database also tracks change history (insertions, modifications, deletions) with timestamps and attribution to the application that made each change.
Contacts data is the foundation for identity resolution across all communication artifacts. Phone numbers and email addresses from the AddressBook can be correlated with Messages handles, FaceTime call addresses, and Mail sender/recipient fields to transform anonymous identifiers into named individuals.
File Locations
Primary Database
| Artifact | Path | Format |
|---|---|---|
| Main Database | ~/Library/Application Support/AddressBook/AddressBook-v22.abcddb | SQLite (Core Data) |
| WAL File | ~/Library/Application Support/AddressBook/AddressBook-v22.abcddb-wal | SQLite WAL |
| SHM File | ~/Library/Application Support/AddressBook/AddressBook-v22.abcddb-shm | SQLite SHM |
Per-Source Databases
Each account source (iCloud, Exchange, CardDAV, local) has its own database:
~/Library/Application Support/AddressBook/Sources/
{UUID-1}/
AddressBook-v22.abcddb
AddressBook-v22.abcddb-wal
AddressBook-v22.abcddb-shm
.AddressBook-v22_SUPPORT/
_EXTERNAL_DATA/
{photo-uuid}.jpg
{UUID-2}/
...
Additional Artifacts
| Artifact | Path | Format |
|---|---|---|
| Contact Photos | Sources/{UUID}/.AddressBook-v22_SUPPORT/_EXTERNAL_DATA/ | JPEG |
| Siri Changelog | ~/Library/Application Support/AddressBook/ABAssistantChangelog.aclcddb | SQLite |
| App Preferences | ~/Library/Preferences/com.apple.AddressBook.plist | Plist |
| Sync Metadata | ~/Library/Application Support/AddressBook/Metadata/ | Various |
Database Schema / File Format
The AddressBook database uses Apple's Core Data framework, resulting in Z-prefixed table and column names. The schema version (v22) has been stable since macOS 10.7, with minor column additions in newer releases.
Key tables:
- ZABCDRECORD -- Contact records and groups (see AddressBook Database)
- ZABCDEMAILADDRESS -- Email addresses (multi-value)
- ZABCDPHONENUMBER -- Phone numbers (multi-value)
- ZABCDPOSTALADDRESS -- Physical addresses (multi-value)
- ZABCDSOCIALPROFILE -- Social media profiles
- ZABCDURLADDRESS -- Website URLs
- ZABCDRELATEDNAME -- Relationships (spouse, parent, child)
- ZABCDNOTE -- Contact notes
- ATRANSACTION / ACHANGE -- Change tracking (see Change Tracking)
- ZABCDDELETEDRECORDLOG -- Deleted contact log
Key Fields for Analysis
ZABCDRECORD.ZUNIQUEID-- Globally unique identifier for each contact, stable across syncs.ZABCDRECORD.ZCREATIONDATE-- When the contact was first created (Core Data timestamp).ZABCDRECORD.ZMODIFICATIONDATE-- When the contact was last modified.ZABCDRECORD.Z_ENT-- Entity type: 22 = contact, 19 = group, 25 = container.ZABCDPHONENUMBER.ZFULLNUMBER-- Full phone number as entered by the user.ZABCDEMAILADDRESS.ZADDRESS-- Email address.- Labels -- Multi-value fields use Apple's label format
_$!<Label>!$_(e.g.,_$!<Work>!$_). Strip the delimiters to get the readable label.
Timestamps
All timestamps use Core Data epoch (seconds since 2001-01-01 00:00:00 UTC):
SELECT datetime(ZCREATIONDATE + 978307200, 'unixepoch') AS created_utc
FROM ZABCDRECORD
WHERE Z_ENT = 22;
Key timestamp columns: ZCREATIONDATE, ZMODIFICATIONDATE, ZLASTSYNCDATE, ZBIRTHDAY.
Analysis Notes
- Multiple databases: The main database at the top level contains an aggregated/unified view. The per-source databases in
Sources/contain account-specific contacts (iCloud, Exchange, etc.). Both should be collected for completeness. - Identity resolution: Phone numbers and email addresses from contacts can be cross-referenced with Messages handles, FaceTime call addresses, and Mail sender/recipient data. Phone normalization (stripping formatting, handling country codes) is essential for accurate matching.
- Label format: Apple wraps label strings in
_$!<and>!$_delimiters. For example,_$!<Work>!$_means "Work". Custom labels are stored without this wrapper. - Change tracking: The
ATRANSACTIONandACHANGEtables provide a forensic audit trail of who modified contacts and when. This is particularly valuable for detecting evidence tampering. - Deleted contacts: The
ZABCDDELETEDRECORDLOGtable retains the unique ID and deletion date of removed contacts, providing evidence of deliberate contact deletion. - Contact photos: Photos are stored as JPEG files in the
_EXTERNAL_DATAdirectory, referenced byZIMAGEHASHinZABCDRECORD. The presence ofZIMAGEHASHwithout a corresponding file may indicate the photo has been synced but not yet downloaded.
Version Differences
| macOS Version | Schema Version | Notable Changes |
|---|---|---|
| 10.7+ | v22 | Baseline AddressBook-v22 schema |
| 12 Monterey | v22 | ZMEMOJIMETADATA column added |
| 13 Ventura | v22 | ZAVATARRECIPEDATA, ZSENSITIVECONTENTCONFIGURATION added |
| 14+ | v22 | Minor column additions |
The v22 schema has been remarkably stable. Version differences primarily affect which optional columns are present.
Tool Support
| Tool | Support Level |
|---|---|
| macfor | Full collection: contacts, multi-value fields, change tracking, deleted contacts, photos, per-source databases |
| AXIOM | Full Contacts support |
| Cellebrite | Full Contacts support |
| sqlite3 CLI | Manual querying with Core Data timestamp conversion |