NOTES
The NOTES plugin gets data stored in the default Notes app that ships with macOS. The locations of the database vary depending on version of macOS and are listed below. For more information on how the data is interpreted, read the blog post here.
| macOS Version | Path |
|---|---|
| Mountain Lion | /Users/[user]/Library/Containers/com.apple.Notes/Data/Library/Notes/NotesV1.storedata |
| Mavericks | /Users/[user]/Library/Containers/com.apple.Notes/Data/Library/Notes/NotesV2.storedata |
| Yosemite | /Users/[user]/Library/Containers/com.apple.Notes/Data/Library/Notes/NotesV4.storedata |
| El Capitan | /Users/[user]/Library/Containers/com.apple.Notes/Data/Library/Notes/NotesV6.storedata |
| High Sierra | /Users/[user]/Library/Containers/com.apple.Notes/Data/Library/Notes/NotesV7.storedata |
| El Capitan | /Users/[user]/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite |
Note: El Capitan has multiple locations for notes.
$ python mac-apt.py -x -o ~/Case_Output E01 ~/Acquisition.E01 NOTES
| Field Name | Notes |
|---|---|
| ID | Chronological ID assigned to the note |
| Title | Title of Note (first line of content) |
| Snippet | Text content within the note |
| Folder | Folder the note is stored in |
| Created | Timestamp of when the note was created Note: the cell may present the date/time as a string similar to "39:26.9" -- this is a truncated iteration of the time as MM:SS.S -- to view the entire date/time, click on the cell and read the formula bar |
| LastModified | Timestamp of when the note was last modified Note: the cell may present the date/time as a string similar to "39:26.9" -- this is a truncated iteration of the time as MM:SS.S -- to view the entire date/time, click on the cell and read the formula bar |
| Data | All readable data within the note; includes Title, Snippet, and any other object (such as Attachment) |
| AttachmentID | ID string of attachment, if applicable |
| AttachmentPath | Original name of the attachment (if applicable), from "Media" subfolder to directory of NoteStore.sqlite |
| AccountDescription | Which account the note is stored to, from NotesV#.storedata, if applicable; On My Mac : stored locally iCloud : stored on the iCloud None : stored locally (duplicate "note" entry as those stored "On My Mac") |
| AccountIdentifier | Account Identifier associated with the note; notes stored locally ("On My Mac") are labeled as "None" for Account Identifier; notes stored on iCloud have an associated Account Identifier |
| AccountUsername | - |
| Version | Version of the Notes Database that the information was found in. For example, El Capitan stores information of its notes in NotesV6.storedata and NoteStore.sqlite, so Version would be "V6" or "NoteStore", respectively |
| User | User Account the note is stored to |
| Source | Source file that the information was retrieved from |