Mobile   Apple Notes

Notes in iOS 14

 · 3 mins read

TL;DR: This post looks at changes to Apple Notes in iOS 14, most of which are look and feel-related, but there are two database changes.

To Do list

Changelog

Apple’s changelog for iOS 14 lists the following updates for Notes1:

  • Enhanced actions menu
  • Top Hits in search
  • Quick styles
  • Collapsible Pinned section
  • Shape recognition
  • Enhanced scanning

Enhanced actions menu

Apple says this feature redesigned the actions menu to make it easier to lock, scan, pin, and delete notes. There is no significant change to forensic behavior, this is purely user behavior.

Apple says your “more relevant search results” will be in the Top hits section. This seems to go with other announcements that say “On-device intelligence helps you do everything…”2. There doesn’t appear to be a significant change within the Notes database, but this will be explored further.

Quick styles

Apple says you can quickly change text styles with a new gesture. There is no significant change to forensic behavior, this is a very nice user experience update.

Collapsible Pinned section

Apple says you can now collapse your pinned notes list. There is no significant change to forensic behavior.

Shape recognition

Apple says that drawing common shapes will snap to a “perfect one” if you pause at the end. This is certainly a nice feature for those of us who aren’t artists, but no significant change to forensic behavior.

Enhanced scanning

Apple says that the capture scanner has an enhanced document scanner. This seems to go with the “On-device intelligence…” announcement. While it still doesn’t do great with all of my handwriting (an admittedly hard problem), it does seem to do better. It still puts the text into the ZICCLOUDSYNCINGOBJECT.ZOCRSUMMARY column, so there doesn’t appear to be an immediate change.

Other Changes

Database Structure

I was hoping there would be a good way to fingerprint an iOS 14 database and there is. The ZICCLOUDSYNCINGOBJECT table got two new columns when I updated from iOS 13 to iOS 14: ZNEEDSINITIALRELATIONSHIPSETUP and ZLASTOPENEDDATE. The ZLASTOPENEDDATE column appears to be a good timestamp for the last time that note was opened, after the upgrade to iOS 14. The ZNEEDSINITIALRELATIONSHIPSETUP column is set to 1 for all notes that were present when the upgrade occurred, and 0 for notes created after the upgrade.

Apple Cloud Notes Parser now uses the presence of the ZLASTOPENEDDATE as its key for identifying an iOS 14 database.

Conclusion

Overall, there have been far worse updates for breaking parsing of Notes. Most of what was released are look and feel kind of changes, not ones that should significantly impact your usual forensic processes. Most software should be just fine, whether your subject image was from 13.7, or 14.0. As I can generate more data, I’ll poke into this more to be sure there isn’t something obvious that is missing from this analysis.

  1. From Apple’s iOS 14 feature list

  2. From Apple’s overall iOS 14 announcement