NOTIFICATIONS

The NOTIFICATIONS plugin parses data from a SQLite database file located at the paths below. The location for this database has changed after Yosemite.

macOS Version	Path
Snow Leopard, Lion, Mountain Lion, Mavericks	/Users/{USER}/Library/Application Support/NotificationCenter/.db
Yosemite, El Capitan, Sierra	DARWIN_USER_DIR/com.apple.notificationcenter/db/db
High Sierra	DARWIN_USER_DIR/com.apple.notificationcenter/db2/db

*DARWIN_USER_DIR path will be /private/var/folders/xx/yyyyyyy/0 where xx/yyyyyyy looks like a random string and is different for every user.

This plugin supports standalone mode.

Sample Usage

$ python mac-apt.py -x -o ~/Case_Output E01 ~/Acquisition.E01 NOTIFICATIONS

Output

Field Name	Notes
User	User account.
Date	Date/time (UTC) that the notification was created.
Shown	?
Bundle	Associated com.apple...plist app info.
AppPath	Path of Application that created a notification.
UUID	UUID of notification.
Title	Title of the notification.
SubTitle	Subtitle (if any) to the notification.
Message	Message content within the notification.
SourceFilePath	Source path of the db file containing notification information.

Getting Started

Introduction
Installation
- Installation-old
Sample Usage
- ios_apt
- Artifact Only Mode
- Mounted System Data Mode
Interpreting Output
Issues & Workarounds
- Plugin Issues

Plugins

AUTOSTART
BASICINFO
BLUETOOTH
DOMAINS
FSEVENTS
IDEVICEBACKUPS
IDEVICEINFO
IMESSAGE
INETACCOUNTS
INSTALLHISTORY
MSOFFICE
NETUSAGE
NETWORKING
NOTES
NOTIFICATIONS
PRINTJOBS
QUARANTINE
RECENTITEMS
SAFARI
SCREENTIME
SPOTLIGHT
SPOTLIGHTSHORTCUTS
TERMINALSTATE
TERMSESSIONS
UNIFIEDLOGS
USERS
WIFI

Development

Write a Plugin
Plugin Helpers

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

NOTIFICATIONS

Sample Usage

Output

Clone this wiki locally