I am attempting to find where Instagram and Snapchat stores/saves direct messages (dm's) between two user profiles on an iOS device.
This is a case in which the owner of the phone has been accused of sexual misconduct. The accused claims there are direct messages on the phone (via Instagram and Snapchat) which are exculpatory and support the accused's claim that the encounter was consensual, planned and agreed to in advance, and that the complainant is retaliating against the accused for failing to follow through on business commitments between the two of them. I am conducting the examination to either support or discount the accused's claims regarding these messages (if possible).
I currently possess the phone in question that was the source device for the extraction/analysis. The particulars of the device/extraction/analysis to date
Phone Apple iPhone 6s/A1688 (CDMA/Verizon)
Operating System iOS 10.0.1
Forensic Software/Hardware used Cellebrite Physical Analyzer 6.4.6.2/Cellebrite UFED4PC 6.4.1.599
Extractions Performed Advanced Logical (Method 1), Advanced Logical (Method 2) via Physical Analyzer; Logical, File System (Full), File System (Backup), File System (Data), SIM via UFED4PC.
I have performed analysis on the aforementioned extractions, to include the TarArchive(s) for each. I have looked at each extraction individually, as well as combining and deduplicating the extractions into 1 .ufedx project.
To date, I have run Google searches as well as searched through the forums here and on other sites such as Smarter Forensics, Cheeky4n6Monkey, Another Forensics Blog, and Forensics Wiki. The closest I came to something similar was a post from Forensic Focus from 2016 regarding having located Instagram DM's but that they were in a JSON format. The question was more directed toward how to decode these messages rather than where or how they were found on the device.
I would appreciate any help in pointing me in the right direction to look for where these files might be located or the best method for locating and identifying them. It is my intent to export the relevant databases and perform additional examinations (if possible) using Sanderson Forensic Browser for SQLite and/or SQLite Recovery Forensic tools.
Thank you very much in advance for your consideration!