iOS Notes · Calendar · Reminders

iPhone Notes, Calendar and Reminders Forensics

Independent forensic analysis of iOS Notes, Calendar and Reminders — including locked notes, shared notes, attachment blobs, deleted-note recovery, and full event and reminder timelines with author and modification attribution.

← Canonical HubThis page is part of the iPhone Forensics cluster. Return to the hub for the full artifact index and cross-cluster context.

Quick Answer. iOS Notes are stored in NoteStore.sqlite under the Notes app container. Note bodies are gzip-compressed protobuf blobs in ZICNOTEDATA.ZDATA; locked notes are additionally AES-256 encrypted with a key derived from the user-set note password. Calendar events live in Calendar.sqlitedb under the Calendar app container with CalendarItem, Attendee, and Location tables. Reminders live in Store.sqlite under the Reminders container. All three support recovery of deleted content via WAL, iCloud sync tombstones, and prior backups.

Notes — the schema behind the app

TableContents
ZICCLOUDSYNCINGOBJECT / Z_ENT filtersFolders, notes, attachments as polymorphic rows
ZICNOTEPer-note metadata: title, creation, modification, folder, snippet
ZICNOTEDATACompressed protobuf body (rich text, checklists, tables)
ZICATTACHMENTAttached images, PDFs, sketches, table cells
ZISPASSWORDPROTECTED / ZCRYPTOINITIALIZATIONVECTORLocked-note markers and per-note IV

Locked notes

Locked notes are decrypted only with the user-set note password (or Face/Touch ID after successful password unlock). We do not brute-force locked notes without authorization. When the password is provided or recovered via legitimate means, the AES-256-GCM key is derived per-note and applied to the ciphertext in ZICNOTEDATA. The unlock event itself is logged in KnowledgeC.

Calendar and Reminders

Calendar.sqlitedb retains every event created, modified or deleted on the device — with attendee lists, RSVPs, alarms, and per-event Location rows containing structured address and coordinates. Reminders/Store.sqlite holds reminders with due dates, completion timestamps, and location triggers (arrive/leave a place). Deleted events and reminders remain recoverable via WAL and backups; iCloud-synced calendars retain server-side history via CalDAV logs.

What matters in a case

  • Notes composed in a specific window (creation vs. modification date)
  • Locked notes containing account credentials, admissions, or itineraries
  • Calendar events proving physical presence at a location and time
  • Attendee lists and RSVPs — proof of coordinated meetings
  • Location-based reminders — proof that a user planned to be somewhere

How Elite Digital Forensics helps

Elite Digital Forensics is an independent, defense-aligned iPhone forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the iPhone Forensics hub for the full analytical framework we bring to every matter.

Related iPhone forensics pages

Frequently asked questions

Can you decrypt a locked iOS note?

Only with the note password (or with the device passcode when the user has enabled Face/Touch ID after that password). We do not attempt unauthorized brute-force.

Do deleted notes survive?

Yes — in Recently Deleted (30 days), in the WAL, in iCloud sync tombstones, and in prior backups.

Can I prove who added a calendar event?

Yes when the event was created on the device — Calendar.sqlitedb stores creator identity and modification history.

Do reminders record when they were completed?

Yes — ZCOMPLETIONDATE and location triggers when applicable.

Ready to move on your iphone notes, calendar and reminders matter?

Tell us about the Mac, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. Apple Platform Security. support.apple.com
  2. NIST SP 800-101 Rev.1 — Guidelines on Mobile Device Forensics. csrc.nist.gov
  3. SQLite: Write-Ahead Logging. sqlite.org

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#iPhoneForensics #iOSForensics #MobileForensics #DFIR #EliteDigitalForensics #Notes #Calendar #Reminders

Assistant Icon Elite Digital Forensics Assistant
👋 Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime. 

IMPORTANT: Please remember to check your spam or junk folder