DFIR Review iOS KnowledgeC.db Notications
15
Figure 11
In the next example, the test device received a SMS notification, Facebook Messenger notification and a
Twitter notification. When the notifications were received there was no user interaction with the device. The
screen turned ON and OFF on its own. After the three notifications were received, the test device was unlocked
by clicking the home button and all notifications were hidden from the Lock Screen. These notifications can
still be visible in the Notification Center.
In Figure 12 we can see the activity for the three notifications that were received and hidden. When the
notifications were hidden from the Lock Screen, Hidden notification types were recorded for each
notification. Figure 12 shows how these actions look like on the device and in the KnowledgeC.db.
Figure 12
The previous examples had user – device interaction. Based on the testing, Hidden notifications can be both
user and non-user initiated.
In Figure 13, the Notification Center is checked for any active notifications, which there are none. The device
is unlocked, and the Facebook Messenger is brought into focus. While the application was in focus, the device
received a notification for a SMS message. There was no user interaction with this notification, and it
disappears from the screen on its own. Another message is received, and another Banner Notification is
displayed, it also did not have any user interaction and disappears on its own.
The Facebook Messenger application was sent to the background, and we can see the messenger application
still has a badge notification count, these will only be cleared after the application data is viewed or handled
within the application. When the notifications were received, the messenger application was running in the
background. All the applications were closed, except for the Facebook Messenger application. While the
Facebook Messenger application was in focus, a Facebook Messenger message was received. Notice the
device did not display a Banner Notification, as previously seen with the SMS notifications.