Notes Database (NoteStore.sqlite)

iosUser ActivityDevice ExtractionCloud Admin Portal

Location

private/var/mobile/Library/Notes/NoteStore.sqlite

Description

SQLite database storing all Apple Notes content including note text (in compressed protobuf format), creation and modification timestamps, folder organization, checklist items, embedded images and attachments, and iCloud sync status. Locked notes are encrypted with a separate key derived from the user passcode or password.

Forensic Value

Notes frequently contain investigatively significant content such as passwords, account credentials, plans, to-do lists, financial information, and personal communications that users record for their own reference. The compressed protobuf note body format preserves full rich text content including tables and checklists. Deleted notes remain in the Recently Deleted folder for 30 days and may persist in database free pages beyond that period. Modification timestamps on notes reveal when information was recorded or updated. Notes synced via iCloud may be recoverable from cloud backups even if deleted from the device.

Tools Required

iLEAPPCellebrite UFEDMagnet AXIOMBelkasoftDB Browser for SQLite

Acquisition Methods

checkm8 Physical Extraction (A5–A11)

ios — physical

iTunes/Finder Backup Acquisition

ios — logical

AFC (Apple File Conduit) Extraction

ios — logical

checkm8 Filesystem Extraction

ios — logical

iCloud Backup Acquisition

ios — cloud