Network Data Usage Per App (DataUsage.sqlite)
Location
private/var/wireless/Library/Databases/DataUsage.sqliteDescription
SQLite database tracking cellular and Wi-Fi data usage on a per-application basis. The ZPROCESS table maps process names and bundle identifiers to usage records, while the ZLIVEUSAGE table contains timestamped data transfer measurements including bytes sent (ZWIFIBYTESSENT, ZWWANBYTESSENT) and bytes received for both Wi-Fi and cellular connections.
Forensic Value
Data usage records reveal which applications transmitted and received the most data, identifying potential data exfiltration channels where an app sent unusually large volumes of data over cellular or Wi-Fi. Comparing upload volumes against download volumes per application identifies apps with disproportionate outbound traffic characteristic of data theft. The per-process granularity attributes network usage to specific applications, enabling identification of the app responsible for suspicious transfers. Historical usage data spanning weeks or months reveals changes in data transfer patterns that may correlate with the start of malicious activity. First and last seen timestamps for each process establish the active usage period of each application.