Summing it all up

There is surprisingly little in the way of Snapchat artifacts on an iOS device. About all you are going to get is user id’s and some hints at activity. As I mentioned, the method of imaging the device has something to do with this. I was not working with jailbroken device or doing a chip off. Perhaps examining images of either of those would have yielded further artifacts.

An Android device retains quite a bit more forensically interesting Snapchat artifacts.

Just because an application is known not to store information about its usage, does not mean that there are not artifacts left behind that by themselves, or combined with other evidence, like cellular tower records, that can be pieced together to potentially show user activity. In this case, just because we do not have the offending snap(s) available, we might just have enough to tie the user to an active account, usage of that account on a device, identify last login time, and tie activity to timeframes on specific networks. It all comes down to being able to “tell the story.”

I limited the activity I tested. Had I done more there would probably be artifacts that I have not discussed here. As always, I recommend you do your own testing and research.