The Apple Address Book is the central address book in Mac OS X. In addition to containing user entered names and addresses, it also contains an entry for the computer's owner that is created when the user registers the machine the first time after installation. Even if entries are deleted from the address book, they are still stored indefinitely in the Address Book cache file. By exploring this file an investigator may find useful information related to the suspect or their acquaintances.
You can use MacForensicsLab's Analyze function to explore the contents of the folder:
~/Users/"USERNAME"/Library/Caches/com.apple.AddressBook/MetaData
This folder contains cached addressbook cards, including ones that have been deleted (OS X 10.4 and above). Modification dates of the vCards and creation dates are present in these files too. You can find more information about the data contained in the Address Book file in this article and its connection to the Spotlight function inside Mac OS X 10.4 here. OS X 10.3 handles this a bit differently, keeping what seems to be most of its data in the actual addressbok.data file. If doing forensic discovery on an older operating system look inside the addressbook.data file first.
MacForensicsLab's Audit function will automatically pull the Address Book information from the Address Book cache file and display it for you in an easy to read format. This will show both present and deleted Address Book entries.
