Apple Cloud Notes Parser
By: Jon Baumann, Ciofeca Forensics
This script is a parser for Apple Notes data stored on the Cloud as seen on Apple handsets. It was tested with sample data pulled from an iOS 11 device with entries made via iCloud. This script was made in response to the lack of parsing of iCloud Notes in major mobile forensic tools and a misunderstanding that the data was "encrypted". Data that was stored in plaintext in Apple's Notes' database
notes.sqlite is gzipped before storage in the iCloud Notes database
NoteStore.sqlite. So while the data is not actually encrypted, it is not as searchable, given its compressed nature.
How It Works
This script immediately makes a copy of the original database before running, "just in case." This will be the same name as the original database, but will have
.decompressed inserted, such as
NoteStore.decompressed.sqlite. It then pulls the gzip blobs out of the
ZDATA column (the rough equivalent of the
ZCONTENT column of the
ZNOTEBODY table in
notes.sqlite), gunzips each, and inserts them back into the database on top of the original gzipped data. It also looks for the plaintext portion of the note and inserts that in a new column
ZDECOMPRESSEDTEXT right next to the original data. While not all notes have plaintext (some are pictures, tables, etc), this is a quick way to gain access and searchability to that data.
It is important to note that this script is not a final answer for parsing Apple's iCloud Notes format, merely a start to get support up to at least that which exists for regular Notes.
This script is run by perl on a command line. The easiest use is to drop your exported
NoteStore.sqlite into the same directory as this script and then run
perl notes_cloud_ripper.pl. If you are more comfortable with the command line, you can point the script anywhere you would like on your computer.
The options that are currently supported are:
--file=: This option tells the script where to find your relevant NoteStore.sqlite. The default value, if this is not included is NoteStore.sqlite in the same directory as this script.
--dirty: This option tells the script to "show its work" and leave the gzipped blobs and gunzipped blobs in the script's directory for the forensics examiner to have better access to them.
--help: This option prints the usage information.
This script requires the following Perl packages: