# iMessage ## Overview **Evidence:** iMessage\ **Description:** Collect iMessages\ **Category:** System\ **Platform:** macos\ **Short Name:** imsg\ **Is Parsed:** Yes\ **Sent to Investigation Hub:** Yes\ **Collect File(s):** Yes ## Background iMessage chat database stores messages, attachments, and metadata per user. This data is essential for communications analysis and timeline reconstruction. ## Data Collected This collector gathers structured data about imessage. ### iMessage Data | Field | Description | Example | | --------------------- | --------------------- | ------------------------- | | `User` | User | Example value | | `MessageID` | Message ID | 123 | | `Conversation` | Conversation | 123 | | `Text` | Text | Example value | | `Contact` | Contact | Example value | | `Direction` | Direction | Example value | | `Account` | Account | Example value | | `Date` | Date | 2023-10-15 14:30:25+03:00 | | `DateRead` | Date Read | 2023-10-15 14:30:25+03:00 | | `DateDelivered` | Date Delivered | 2023-10-15 14:30:25+03:00 | | `IsFromMe` | Is From Me | 123 | | `IsRead` | Is Read | 123 | | `DestinationCallerID` | Destination Caller ID | Example value | | `AttachmentPath` | Attachment Path | Example value | | `AttachmentName` | Attachment Name | Example value | | `AttachmentSize` | Attachment Size | 123 | ## Collection Method This collector copies user `chat.db` files and queries messages, attachments, and related tables, recording into `imessage`. ## Forensic Value This evidence is crucial for forensic investigations as it reveals communications content, participants, and attachment artifacts.