Authors: Geraldine Blay (Seminole County Sheriff's Office / Operation Underground Railroad) and SA Alexis Brignoni (FBI)



iOS Notifications allow users to peek at content that could be important to them without having to access the app. For us forensic examiners, Notifications can be a goldmine, potentially showing content that is not present in the phone anymore. In this post, we take a look at notification logs stored in private/var/mobile/Library/DuetExpertCenter/streams/userNotificationEvents/local.

We walk the reader through the data structure of these files and how to manually parse them. Additionally, we show how to parse these in the blink of an eye and generate a beautiful report using Alexis Brignoni’s iLEAPP.