Notes - macOS Forensic Artifacts

Overview

Apple Notes stores all data in a SQLite database (NoteStore.sqlite) using a Core Data schema. Note content is stored as gzip-compressed protobuf blobs within the database, with attachments stored as separate files in a Media directory. Notes can contain rich text, checklists, tables, drawings, scanned documents, embedded maps, and links. The database tracks note creation, modification, folder organisation, account association, and collaboration state.

Forensic Significance

Evidence Type	Forensic Value
Note content	User-created text, thoughts, plans, passwords, sensitive information
Creation/modification timestamps	Timeline of note activity
Folder organisation	How the user categorises their notes
Attachments	Embedded images, PDFs, scanned documents
Tables	Structured data within notes
Deleted notes	Recently deleted content (30-day retention)
Collaboration	Shared notes and participant information
Account association	iCloud, Gmail, Exchange, or local account
Geolocation	Location data from embedded maps or scanned documents
OCR text	Scanned document text (Live Text, macOS 12+)

File Locations

Artifact	Path	Format
Notes database	`~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite`	SQLite (Core Data)
WAL file	`~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal`	SQLite WAL
Attachments	`~/Library/Group Containers/group.com.apple.notes/Media/`	Various files
Fallback images	`~/Library/Group Containers/group.com.apple.notes/FallbackImages/`	PNG/JPEG
Legacy Notes (pre-El Capitan)	`~/Library/Containers/com.apple.Notes/Data/Library/Notes/NotesV*.storedata`	SQLite

Database Schema

ZICCLOUDSYNCINGOBJECT (Primary content table)

This is the main table containing notes, folders, and attachments in the Core Data store.

Column	Type	Description
`Z_PK`	INTEGER	Primary key
`Z_ENT`	INTEGER	Entity type
`ZTITLE1`	TEXT	Note title (first line of content)
`ZSNIPPET`	TEXT	Content preview snippet
`ZCREATIONDATE1`	REAL	Creation timestamp (Core Data)
`ZMODIFICATIONDATE1`	REAL	Last modification timestamp
`ZDATA`	BLOB	Gzip-compressed protobuf note body
`ZFOLDER`	INTEGER	FK to folder
`ZACCOUNT2` / `ZACCOUNT3`	INTEGER	FK to account
`ZISPASSWORDPROTECTED`	INTEGER	Whether note is locked with a password
`ZMARKEDFORDELETION`	INTEGER	Soft-delete flag

ZICCLOUDSYNCINGOBJECT (Folders)

Folders share the same table but with different Z_ENT values:

Column	Description
`ZTITLE2`	Folder name
`ZPARENT`	FK to parent folder
`ZIDENTIFIER`	Unique folder identifier

ZICCLOUDSYNCINGOBJECT (Attachments)

Column	Description
`ZMEDIA`	FK to media record
`ZTYPEUTI`	UTI type of the attachment
`ZFILENAME`	Original filename

Note Body Format

Note content is stored in the ZDATA column as gzip-compressed protobuf data. The protobuf schema uses Apple's Mergeable Data format:

Decompress gzip data
Parse protobuf structure
Extract text runs and formatting

The protobuf contains:

Text content (UTF-8 string)
Formatting attributes (bold, italic, headings, lists)
Attachment references
Table data (in Mergeable Data format)
Checklist items and their checked state

Key Fields for Analysis

Basic Note Listing

SELECT
    Z_PK,
    ZTITLE1 AS title,
    ZSNIPPET AS snippet,
    datetime(ZCREATIONDATE1 + 978307200, 'unixepoch') AS created,
    datetime(ZMODIFICATIONDATE1 + 978307200, 'unixepoch') AS modified,
    ZISPASSWORDPROTECTED AS locked
FROM ZICCLOUDSYNCINGOBJECT
WHERE Z_ENT = 5  -- Note entity type (may vary)
  AND ZMARKEDFORDELETION = 0
ORDER BY ZMODIFICATIONDATE1 DESC;

Recently Deleted Notes

SELECT
    ZTITLE1 AS title,
    ZSNIPPET AS snippet,
    datetime(ZMODIFICATIONDATE1 + 978307200, 'unixepoch') AS deleted_date
FROM ZICCLOUDSYNCINGOBJECT
WHERE ZMARKEDFORDELETION = 1
ORDER BY ZMODIFICATIONDATE1 DESC;

Attachments

SELECT
    n.ZTITLE1 AS note_title,
    a.ZFILENAME AS filename,
    a.ZTYPEUTI AS file_type,
    datetime(a.ZCREATIONDATE1 + 978307200, 'unixepoch') AS attached_date
FROM ZICCLOUDSYNCINGOBJECT a
JOIN ZICCLOUDSYNCINGOBJECT n ON a.ZNOTE = n.Z_PK
WHERE a.ZTYPEUTI IS NOT NULL
ORDER BY a.ZCREATIONDATE1 DESC;

Timestamps

Notes uses Core Data timestamps (seconds since 2001-01-01 00:00:00 UTC).

Analysis Notes

Content extraction: The gzip+protobuf body format requires decompression and parsing. The snippet and title fields provide quick access to content without full parsing.
Password-protected notes: Locked notes (ZISPASSWORDPROTECTED = 1) have their content encrypted. The metadata (title, creation date, folder) remains visible, but the body content requires the note password to decrypt.
Deleted note retention: macOS retains deleted notes for approximately 30 days in a "Recently Deleted" folder. These are marked with ZMARKEDFORDELETION = 1.
Attachment recovery: Even if a note is deleted, attachment files in the Media directory may persist on disk.
iCloud sync: Notes synced via iCloud exist on all the user's Apple devices. The same NoteStore.sqlite content appears on Mac, iPhone, and iPad.
Account separation: Notes from different accounts (iCloud, Gmail, on-device) are stored in the same database but associated with different account records.
OCR content: On macOS 12+, scanned documents and images in notes may have Live Text OCR data stored, making handwritten or photographed text searchable.

Version Differences

macOS Version	Changes
10.11 (El Capitan)	Migration to NoteStore.sqlite with gzip+protobuf content
10.13 (High Sierra)	Table support added
12 (Monterey)	Quick Notes, Live Text OCR
13 (Ventura)	Smart Folders, enhanced sharing
14 (Sonoma)	Inline PDF viewing, link previews
15 (Sequoia)	Enhanced formatting, math notation

Tool Support

Tool	Support
macfor	Not yet implemented (planned — MACFOR-NOTES-*)
sqlite3	Manual database inspection (metadata only without protobuf parser)
mac_apt	Open-source Notes parser
AXIOM (Magnet)	Commercial Notes analysis
Elcomsoft Phone Viewer	Commercial Notes extraction

References

Apple Notes Forensics - ciofecaforensics
NoteStore.sqlite Analysis - mac4n6
SANS FOR518: Mac and iOS Forensic Analysis