Notes Database (NoteStore.sqlite)

Location

Description

SQLite database storing all Apple Notes content including note text (in compressed protobuf format), creation and modification timestamps, folder organization, checklist items, embedded images and attachments, and iCloud sync status. Locked notes are encrypted with a separate key derived from the user passcode or password.

Forensic Value

Notes frequently contain investigatively significant content such as passwords, account credentials, plans, to-do lists, financial information, and personal communications that users record for their own reference. The compressed protobuf note body format preserves full rich text content including tables and checklists. Deleted notes remain in the Recently Deleted folder for 30 days and may persist in database free pages beyond that period. Modification timestamps on notes reveal when information was recorded or updated. Notes synced via iCloud may be recoverable from cloud backups even if deleted from the device.

Tools Required

Collection Commands

idevicebackup2 backup --full /forensics/ios_backup/

python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/

python3 meat.py -i -o /forensics/output/ -t backup

Collection Constraints

• •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References