This article is an attempt to summarise different resources about knowledgeC database and highlight its main forensically valuable information. The database typically includes about one month of records.
Anatomy
Type: SQLite
Path 📂: macOS system db /private/var/db/CoreDuet/Knowledge, macOS user db ~/Library/Application Support/Knowledge/, iOS /private/var/mobile/Library/Coreduet/Knowledge/.
Information of forensic value:
- App usage. (timestamps, duration and frequency). Similar to prefetch data?
- Internet activity. (browsing history and queries). Useless when history is explicitly deleted by the user or when the user is surfing via the private mode.
- Calls and texts. Timestamps, numbers and call duration.
- Device state. Battery, charging events, connected devices, backlight etc.
- Media. Audio and video I/O devices + interactions with photos and videos.
⚠️ *On iOS 16+ and MacOS 13+, Apple devices store most device statistics in the 🏺 Biome database instead of the 🏺
knowledgeC.dbfile. ⚠️ You need full file system access to acquire it, since it’s not included in the backups.
Tables
ZOBJECT
Each activity tracked.
ZSTRUCTUREDMETADATA
Additional info
ZSOURCE
Additional info on the source.