What mobile device artifacts (app caches, thumbnails, SQLite DBs) indicate CSAM access or storage?
Executive summary
Mobile devices leave a constellation of forensic traces—image thumbnails and caches, app SQLite databases, file system metadata and deleted-file remnants, and cryptographic/hash records—that investigators use to infer CSAM access or storage; specialized forensic suites and vendor tools accelerate triage but also shape what artifacts are emphasized [1] [2] [3]. Policy features from platform vendors add another artifact class: on-device CSAM-hash matching and cryptographic “safety vouchers” that can be surfaced later under specific conditions [4] [5] [6].
1. Thumbnails, caches and carved images: visible proxies for originals
Thumbnails and app caches are among the most common, high-value artifacts because they persist even when original images are deleted; forensic tools routinely parse gallery/thumbcache folders and app caches to quickly show visual evidence or leads [7] [1]. Magnet AXIOM and similar suites explicitly emphasize parsing deleted file metadata and thumbnail stores to reveal recently deleted pictures that may contain explicit material [7], while research catalogues of mobile internal storage list thumbnail/cache entries as standard artifacts [8].
2. SQLite databases and application metadata: the structured trail
Many apps store media references, chat history, transfer logs and content metadata in SQLite databases that investigators parse to link files to timestamps, contacts and transfers; industry guidance and vendor blogs highlight application artifacts as essential for relating a photo to user activity [1] [2]. For example, AirDrop, messaging apps and cloud clients often leave DB rows recording file names, message IDs and timestamps that provide context even when the binary image is missing [7] [1].
3. File system metadata and deleted-file remnants: dates, paths and recovery
File system metadata—inode timestamps, EXIF, filesystem entries and recently-seen Wi‑Fi/cell logs—helps place media in time and location, and modern forensic tools can recover deleted files from Android EXT4 and other systems to reveal explicit material otherwise thought erased [7] [3]. Vendor solutions marketed for CSAM investigations highlight their ability to parse location metadata and correlate “photo locations” with other significant places, an investigative step used to corroborate victim presence or upload events [3] [9].
4. Hashes, similarity tools and platform-side artifacts: known-CSAM matching
Known-CSAM detection relies on hash-based matching and similarity hashing rather than on raw images; Apple’s design distributes a database of canonical CSAM hashes and performs on-device matching, producing encrypted safety vouchers that are uploaded to iCloud and can only be interpreted under a threshold process [4] [5] [6]. Forensic triage tools and scanners likewise use CRC/block-hashing and hash-sets to quickly flag known files, a capability vendors advertise for speeding CSAM discovery [10] [2].
5. Corroborating artifacts: location, network and peripheral evidence
Beyond images themselves, investigators rely on corroborating artifacts—GPS/Media GPS metadata, Wi‑Fi and cell-tower logs, cloud-sync records and P2P client artifacts—to establish access, sharing and distribution patterns; products such as ArtifactIQ surface photo GPS and significant locations to reconstruct where images were taken or uploaded [3] [9]. Magnet’s tooling and blogs emphasize triage workflows that combine operating-system artifacts, network evidence and hash matches to create a defensible investigative timeline [10] [2].
6. Tools, procedures, and limits: forensic practice and vendor incentives
Standard procedure documents warn that mobile forensics requires careful preservation and that write-blocking is not generally feasible for live mobile devices, which affects how artifacts are collected and preserved [11]; meanwhile, commercial vendors explicitly promote kits (GrayKey, GRAYKEY/ArtifactIQ, Magnet Outrider) that accelerate extraction and flag CSAM-related artifacts, an implicit commercial incentive to highlight certain artifact classes [3] [10] [9]. Public documentation from Apple and independent analyses also show limits: on-device hash matching only flags known CSAM hashes and won’t detect novel or previously unreported images, and platform-generated artifacts such as safety vouchers are subject to vendor-controlled thresholds and policies [4] [5] [6].
Conclusions are necessarily bounded by the cited sources: forensic practice converges on a predictable set of indicators—thumbnails/caches, app SQLite DBs, filesystem metadata and hash-based matches—augmented today by platform-level CSAM matching artifacts and commercial triage tools that streamline discovery [1] [7] [4] [2]. Independent verification and careful chain-of-custody remain essential because tool outputs and vendor-promoted capabilities shape both investigations and public perception [11] [10].