iOS User Notification Events
21/11/2025 Friday
iOS User Notification Events are used to record alerts that are
delivered to the user by system and third-party applications. In this
artifact, the application that generated the notification, its title and
body text, the notification category (e.g., message, reminder, system
alert), and timestamps for when it was created, displayed, or dismissed
are typically logged, and the user’s interaction (such as the
notification being used to open the app or being cleared) may also be
recorded. Because these records show when and how notifications were
presented on the device, they can be used to reconstruct user activity,
application usage patterns, and the approximate level of device
awareness at specific points in time.
Digital Forensics Values of iOS User Notification Events
The digital forensics value of iOS User Notification Events is derived
from the detailed record of how and when alerts are presented to the
user on the device. Timestamps, app identifiers, notification titles and
bodies, and interaction flags (e.g., opened, dismissed, or cleared) are
used to show what information was made visible to the user at a given
time and how it was acted upon.
When these records are correlated with app usage logs, messages, or
location data, an activity timeline can be confirmed or challenged, user
awareness of specific events (such as warnings, messages, or system
prompts) can be demonstrated, and a device may be associated with a
particular Apple ID, app ecosystem, or communication pattern.
Location of iOS User Notification Events Artifacts
User notification events are stored by the Duet Expert Center service in
SEGB stream files located at:
/private/var/mobile/Library/DuetExpertCenter/streams/userNotificationEvents/local/<stream_id>/
In this path, <stream_id> is used as a device-specific numeric identifier. Inside each <stream_id> directory, one or more SEGB segment files are maintained (typically around 8 MB in size). Each file name is a 15-digit number that corresponds to a modified Apple Cocoa timestamp, which represents the creation time of that segment file.
Analyzing iOS User Notification Events Artifact with ArtiFast
This section will discuss how to use ArtiFast to extract iOS User
Notification Events artifacts from iOS devices’ files and what kind of
digital forensics insights we can gain from the artifacts.
After you have created your case and added evidence for the
investigation, at the Artifact Selection phase, you can select iOS User
Notification Events artifact parsers:
×
Once ArtiFast parsers plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of iOS User Notification Events artifacts in ArtiFast.
iOS User Notification Events
- Event Recorded Date/Time: The date and time when the notification event was recorded and displayed in the selected time zone.
- GUID: The primary unique identifier assigned to the notification event; it can be used to link related records representing the same notification.
- Bundle ID 2: A secondary bundle identifier associated with the notification, which may reference an extension, service, or alternate app identifier.
- Subtitle: A supplemental text string associated with the notification, which may represent a subtitle or an internally used classification/label.
- Optional Text: An extra text field that can contain additional descriptive or internal data when present.
- Bundle ID: The primary bundle identifier of the application that generated the notification (e.g., com.toyopagroup.picaboo).
- Title: The main title string stored for the notification, typically corresponding to the bold header line shown to the user.
- Entry Data as Hex View: The raw binary contents of the underlying Biome record, rendered as a hex view.
- User ID: An identifier associated with the user or account context for the notification (such as an Apple ID–related or app-specific user identifier).
- Body: The main body text of the notification message as it was stored and potentially shown to the user.
For more information or suggestions please contact: ali.torabkhani@forensafe.com
