Snapchat Investigation — Recover Snaps, Stories & My Eyes Only
Snapchat markets ephemerality, but the forensic reality is more generous. Cached media, the arroyo.db chat store, the Memories cache and the My Eyes Only encrypted vault all leave recoverable traces.
What Snapchat Actually Keeps After 'Disappearing'
Snapchat's marketing rests on a useful half-truth: snaps disappear. The platform-side reality is that Snap Inc. retains delivery metadata for 30+ days regardless of whether the message was opened, retains unopened snaps for 30 days, and retains story content for 24 hours after expiry plus a sliding window in 'Memories'. The device-side reality is more generous still: Snapchat caches sent and received media in plaintext on the local filesystem precisely because it has to render it instantly, and that cache is rarely scrubbed.
The arroyo.db SQLite database (Android) and SCDBConversations (iOS) hold the chat history surface. Even when 'Clear Conversation' has been used, the underlying SQLite file frequently retains the records in its WAL and freelist for weeks. The same database stores message-receipt metadata: sent/delivered/opened/screenshot timestamps for every interaction, all of which carry evidentiary weight.
The Memories feature was introduced in 2016 and has quietly become the most consequential forensic surface in any Snapchat investigation. Memories explicitly opts the user into long-term cloud storage of selected snaps. Inside Memories sits My Eyes Only (MEO) — a PIN-protected sub-vault. Many cheating partners use MEO as their primary store of intimate media, believing the PIN to be unbreakable. It is not: with the device passcode and a forensic image, MEO is decryptable in well under an hour.
Finally, every snap that the partner saves to their own camera roll — whether of themselves or received from another user — leaves a normal JPEG/MP4 file in the device's Photos app, often with intact EXIF. We routinely surface conclusive evidence purely from the camera roll without ever touching the Snapchat databases.
Snapchat Forensic Methodology
A Snapchat investigation has three discrete tracks: device-side acquisition, cloud-side preservation, and platform-side legal process. The most common engagement uses tracks one and two; track three is reserved for cases that escalate to formal litigation.
Device-side acquisition follows our standard mobile forensics pipeline (see Phone Forensics for Infidelity Cases). Once the filesystem image is mounted, the Snapchat-specific extraction begins. On iOS the relevant container lives at /private/var/mobile/Containers/Data/Application/<UUID>/ for Snapchat's bundle ID. On Android it lives at /data/data/com.snapchat.android/. Both contain a databases/ folder, a cache/ folder, and a files/ folder. All three matter.
The arroyo.db (or its iOS equivalent) is parsed with sqlite-utils plus a custom decoder for the binary blob columns. We then carve the WAL and freelist for deleted entries. Cache directories are walked with file-type magic, not extensions, because Snapchat strips extensions on cached media to prevent the OS from indexing them. ffprobe identifies videos; ImageMagick identifies images.
My Eyes Only decryption is handled separately. The MEO vault uses a key derived from the user's PIN via PBKDF2, with a salt stored in the same database. With the PIN known (volunteered by the device owner, or recovered via a brute-force on the device passcode hash) the vault decrypts in seconds. Without the PIN, decryption is computationally infeasible — but the metadata around the vault (file sizes, timestamps, counts) remains visible and is itself evidentiary.
Cloud-side preservation runs in parallel where the client controls the account. Snapchat's 'My Data' export is a self-service download from accounts.snapchat.com that includes account history, login IPs, friend list changes, support requests, snap and chat history metadata, and — crucially — the full Memories archive in original quality. We trigger this download at the start of every engagement to lock in the cloud state before any subsequent activity perturbs it.
# Locate Snapchat container on iOS image
$ find ./case-image -path '*com.toyopagroup.picaboo*' -type d
# Parse arroyo.db (Android) — chat metadata + receipts
$ sqlite-utils tables /data/data/com.snapchat.android/databases/arroyo.db
$ sqlite-utils rows arroyo.db conversation_message --json > snap_messages.json
# Carve deleted chat rows from freelist
$ python3 mhf-sqlite-carve.py --db arroyo.db --table conversation_message
# Walk the cache directory by magic, not extension
$ find ./snap_cache -type f -exec file {} \; | grep -E 'JPEG|MP4|PNG' \
> recoverable_media.txt
# Decrypt My Eyes Only with known PIN
$ python3 mhf-meo-decrypt.py --vault meo.db --pin 4729 --out ./meo_plaintext/
# Trigger client-controlled cloud preservation
$ open https://accounts.snapchat.com/accounts/downloadmydata
What Snap Inc. Will Release — and to Whom
Snap Inc.'s Law Enforcement Operations Guide is published and explicit. The company retains, and will release on appropriate legal process, the following: account creation IP and timestamp, login history with IPs for the past 30 days, the friend list, basic account information (username, email, phone, linked accounts), and — critically — the metadata of every snap and chat for at least 30 days regardless of whether they were opened. Content (the actual media) is normally only retained for unopened snaps and is purged on opening or after 30 days.
For civil infidelity cases, this matters in two ways. First, the friend list and login-IP history are obtainable via subpoena in most jurisdictions and frequently establish the existence of a parallel relationship even without content. Second, where the case escalates to allegations of harassment or coercion, the metadata trail is sufficient to demonstrate pattern-of-contact even after the content has expired.
We do not file legal process directly — that is the client's attorney's role — but we routinely package the technical request that accompanies a subpoena, ensuring the right data fields are requested in the right format. Sloppy subpoenas come back with metadata fields missing or in formats that cannot be parsed; precise ones come back with a complete picture.
Hands-On Tutorial: Triage Snapchat Without Destroying Evidence
If you have legal access to the device and want a first-pass look before engaging a forensic lab, follow this sequence. The single most destructive thing you can do is open the Snapchat app on the live device — every launch overwrites cache slots and may transmit a 'screenshot' notification to the sender if you capture chats normally.
- Put the device in airplane mode before doing anything else
- Take an encrypted iTunes/Finder backup (iOS) or full ADB backup (Android)
- If you control the linked email/phone, request 'My Data' from accounts.snapchat.com
- Check the device camera roll for saved snaps — albums often hide them under 'Snapchat'
- Check Files → On My iPhone → Snapchat for any saved exports
- Check the Hidden album in Photos for intimate media saved out of MEO
- Hand the encrypted backup and the 'My Data' archive to a forensic lab — do not open the app again
# After encrypted backup is decrypted (see Phone Forensics page)
$ find ./decrypted -path '*Snapchat*' -type d
# Recover saved snaps from the camera roll bypassing app
$ find ./decrypted -path '*PhotoData*' -name '*.JPG' \
-exec exiftool -SourceFile -DateTimeOriginal -GPSPosition {} \;
# Parse the My Data archive (zip)
$ unzip mydata~XXXX.zip -d ./snap_mydata/
$ jq '.["Login History"]' ./snap_mydata/json/login_history.json
$ jq '.["Friends"]' ./snap_mydata/json/friends.jsonHonest Limitations of Snapchat Forensics
We are explicit with clients about what Snapchat will and will not give up. Opened snaps, on the platform side, are gone — Snap Inc. does not retain them once opened, and no legal process will recover them. On the device side, the cached media may survive for days to weeks after opening but is not guaranteed.
End-to-end encrypted features — including some newer Snapchat-AI conversations — leave less on Snap's servers than legacy chats. Where E2EE is in play, the device-side acquisition becomes the only recovery path.
Vault PINs we cannot guess we cannot break in any reasonable timeframe. The MEO vault uses key-derivation parameters that make brute-force impractical without the PIN. We are honest with clients about this rather than over-promising.
Finally, a partner who suspects investigation and performs a factory reset followed by 24 hours of normal use on the new install destroys most device-side evidence. The cloud-side My Data archive, if obtained before the reset, remains intact — which is why we trigger that download as the very first action in every engagement where the client controls the account.
Frequently Asked Questions
Related Recovery Services
$ Open a secure channel. PGP preferred. Pre-engagement NDA available on request. Ready to proceed?
[ INITIATE SECURE CONTACT ]