- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Independent forensic analysis of iOS Notes, Calendar and Reminders — including locked notes, shared notes, attachment blobs, deleted-note recovery, and full event and reminder timelines with author and modification attribution.
Quick Answer. iOS Notes are stored in NoteStore.sqlite under the Notes app container. Note bodies are gzip-compressed protobuf blobs in ZICNOTEDATA.ZDATA; locked notes are additionally AES-256 encrypted with a key derived from the user-set note password. Calendar events live in Calendar.sqlitedb under the Calendar app container with CalendarItem, Attendee, and Location tables. Reminders live in Store.sqlite under the Reminders container. All three support recovery of deleted content via WAL, iCloud sync tombstones, and prior backups.
| Table | Contents |
|---|---|
| ZICCLOUDSYNCINGOBJECT / Z_ENT filters | Folders, notes, attachments as polymorphic rows |
| ZICNOTE | Per-note metadata: title, creation, modification, folder, snippet |
| ZICNOTEDATA | Compressed protobuf body (rich text, checklists, tables) |
| ZICATTACHMENT | Attached images, PDFs, sketches, table cells |
| ZISPASSWORDPROTECTED / ZCRYPTOINITIALIZATIONVECTOR | Locked-note markers and per-note IV |
Locked notes are decrypted only with the user-set note password (or Face/Touch ID after successful password unlock). We do not brute-force locked notes without authorization. When the password is provided or recovered via legitimate means, the AES-256-GCM key is derived per-note and applied to the ciphertext in ZICNOTEDATA. The unlock event itself is logged in KnowledgeC.
Calendar.sqlitedb retains every event created, modified or deleted on the device — with attendee lists, RSVPs, alarms, and per-event Location rows containing structured address and coordinates. Reminders/Store.sqlite holds reminders with due dates, completion timestamps, and location triggers (arrive/leave a place). Deleted events and reminders remain recoverable via WAL and backups; iCloud-synced calendars retain server-side history via CalDAV logs.
Elite Digital Forensics is an independent, defense-aligned iPhone forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the iPhone Forensics hub for the full analytical framework we bring to every matter.
Only with the note password (or with the device passcode when the user has enabled Face/Touch ID after that password). We do not attempt unauthorized brute-force.
Yes — in Recently Deleted (30 days), in the WAL, in iCloud sync tombstones, and in prior backups.
Yes when the event was created on the device — Calendar.sqlitedb stores creator identity and modification history.
Yes — ZCOMPLETIONDATE and location triggers when applicable.
Tell us about the Mac, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant