Notification Center Database

macosUser ActivityDisk Image

Location

~/Library/Group Containers/group.com.apple.usernoted/ (db2/)

Description

SQLite database storing all user notifications delivered by macOS Notification Center. Contains the notification title, subtitle, body text, delivering application bundle identifier, delivery timestamp, and whether the user interacted with the notification.

Forensic Value

The Notification Center database captures notification content that may reveal security-relevant events such as AirDrop file transfer requests, VPN connection notifications, email arrival summaries, and application permission requests. Notifications from security tools about detected threats are preserved. The timing of specific notifications can corroborate other timeline events. In social engineering investigations, notification content can reveal whether a user was prompted to take an action. This artifact provides context about what the user was presented with on screen at specific times.

Tools Required

DB Browser for SQLitemac_aptAPOLLO (mac4n6)Crowdstrike UAC

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical