Notification Center Database

Location

Description

SQLite database storing all user notifications delivered by macOS Notification Center. Contains the notification title, subtitle, body text, delivering application bundle identifier, delivery timestamp, and whether the user interacted with the notification.

Forensic Value

The Notification Center database captures notification content that may reveal security-relevant events such as AirDrop file transfer requests, VPN connection notifications, email arrival summaries, and application permission requests. Notifications from security tools about detected threats are preserved. The timing of specific notifications can corroborate other timeline events. In social engineering investigations, notification content can reveal whether a user was prompted to take an action. This artifact provides context about what the user was presented with on screen at specific times.

Tools Required

Collection Commands

sqlite3 ~/Library/Group\ Containers/group.com.apple.usernoted/db2/db "SELECT datetime(delivered_date + 978307200, 'unixepoch') AS date, app_id, title, subtitle, body FROM record ORDER BY delivered_date DESC LIMIT 200"

cp ~/Library/Group\ Containers/group.com.apple.usernoted/db2/db /forensics/notification_center.db

python mac_apt.py -i /path/to/image -o /forensics/output NOTIFICATIONS

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

MITRE ATT&CK Techniques

References