Investigating Apple Notes
19/04/2024 Friday
Apple Notes is a note-taking application developed by Apple. The application is available in different Apple Operation Systems such as iOS, macOS, and iPadOS. Apple Note allows users to create short notes and it provides syncing of notes throughout different devices.
Digital Forensics Value of Apple Notes
Apple Notes artifacts can have a significant value in investigations when Apple devices are involved. The artifact can be very useful since it contains notes that had been written by the user in plain text. Moreover, the Apple Notes artifact contains timestamped records of user notes which can help create a timeline of events.
Location of Apple Notes Artifacts
Apple Notes artifacts can be found at the following location on iOS devices:
/private/var/mobile/Containers/Shared/AppGroup/B12*****4F8D3/NoteStore.sqlite
Analyzing Apple Notes Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract Apple Notes artifact from iOS devices' files and what kind of digital forensics insights we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Apple Notes artifact parsers:
×
Once ArtiFast parsers plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Apple Notes artifact in ArtiFast.
Apple Notes
- Time: The last modification date and time.
- Snippet: The bundle ID.
- Created Date/Time: The creation date and time.
- Title: The note’s title.
- Account Name: The account name.
- Note ID: The note ID.
- Password Hint: The note password hint.
- Folder Name: The folder name.
- Text Content: The note text content.
- Encrypted: Indicate whether the note was encrypted or not.
- Embedded Object(s): The embedded object(s).
- Note UUID: Note UUID.
- Account ID: Account ID.
For more information or suggestions please contact: [email protected]
