UpScrolled Forensic Artifacts on iOS

Introduction

UpScrolled is an emerging social media platform that continues to gain rapid adoption. As with any social media application, it presents potential evidentiary value in digital forensic investigations. This research documents the identification and structure of UpScrolled chat artifacts recovered from an iOS device using an iTunes-style logical backup extraction.

Application Data

Application artifacts were successfully recovered via a standard iTunes backup extraction. A preliminary review of the extracted data revealed that UpScrolled application data can be found in the following path within the iOS filesystem:

/private/var/mobile/Containers/Data/Application/{UUID}

Within this location, user-generated content and application data were stored in the Documents directory:

/private/var/mobile/Containers/Data/Application/{UUID}/Documents

Chat Database

UpScrolled stores chat data in a SQLite database named using the format: db_{UserID}.sqlite

This naming convention indicates chat data is segregated by user account. Such a design enables multiple accounts to coexist on the same device without data commingling, while also providing a direct mapping between database files and specific user identities.

All tables within the database were accessible using standard SQLite forensic tools and could be parsed without encryption or obfuscation.

Figure 1. SQLite database schema overview

Database Structure and Forensic Significance

Several tables within the database contained artifacts of high evidentiary value, particularly those associated with user identity, message content, communication timelines, and user interaction states.

connection_events Table

The connection_events table contains metadata associated with the authenticated user. Of particular forensic value is the own_user column, which stores a BLOB object containing:

  • User ID

  • Account name

  • Username

  • Visibility status

  • Number of unread messages

  • Active status

  • Verification status

members Table

The members table identifies all participants associated with chat channels, including the local user account. The extra_data column contains structured metadata describing each participant’s role within the conversation (Figure 2). This table is useful for reconstructing communication relationships and identifying involved parties. 

Figure 2. Members table showing channel participants and metadata

messages Table

The messages table is the primary source of evidentiary communication content. It contains both message bodies and associated metadata required to reconstruct conversations.

Relevant columns include:

  • message_text
    Contains the plaintext content of chat messages.

Figure 3. Message content stored in message_text column

  • local_created_at
    Records the timestamp when a message was created by the local device user.

  • remote_created_at
    Records the timestamp associated with message creation across all participants. This field provides a consistent timeline of communication regardless of sender.

  • user_id
    Identifies the sender of the message.

  • channel_cid
    Represents the unique identifier of a chat channel. 

  • extra_data
    Contains a BLOB object storing metadata related to the message and channel. This field includes important forensic indicators such as:

    • is_invitation: Indicates the message represents the initial chat invitation

    • is_invitation_acceptance: Indicates acceptance of the chat invitation

    Figure 4. extra_data column showing invitation indicator

reads Table

The reads table contains read-receipt artifacts for each participant. Specifically, it records:

  • The user ID of the participant

  • The last message ID viewed

  • The timestamp associated with the read event

users Table

The users table contains identity and account metadata for all users associated with chat channels, including the local user. One of the most significant forensic artifacts in this table is the created_at column, which records the timestamp when the account was created. 

Conclusion

UpScrolled chat artifacts can be successfully recovered from iOS devices through logical extraction methods such as iTunes backups or other forensic tools with equivalent capabilities. These artifacts are stored in user-specific SQLite database files that can be examined using standard database forensic tools without requiring specialized decoding.

Analysis of these databases provides direct access to message content, participant identifiers, channel associations, and detailed timestamp information. Additionally, supporting tables contain account metadata, communication relationships, and read-receipt activity. These findings demonstrate that UpScrolled chat data can be reliably acquired and analyzed using standard mobile forensic methodologies.