Good afternoon from US east coast, I hope all are well. To give some context, I'm working on a CSE investigation revolving around Kik on an iPhone 12. I'm viewing a Graykey extraction via Axiom and in every source location for all the CSAM I've found is \private\var\mobile\Containers\Shared\AppGroup\. On the few files of CSAM that I can see that came from group chats, a random person shares CSAM and my suspect is there to see it since he's a part of the group. My suspect also appears to cease all communication with these people/groups when it happens as well. My question is, if every file is in Containers\Shared\AppGroup\, were they ever purposefully downloaded by my suspect to keep? I'm trying to figure out if I have a 19-year-old with real bad judgement or an actual pedophile.Â
I appreciate all answers and if any clarification is needed, let me know.Â