Knowledge Store (knowledgeC.db)

Location

Common Names

Description

CoreDuet SQLite database that serves as the central knowledge store for iOS, recording a wide range of user activity events including app usage with foreground/background state, device lock/unlock events, media playback, Safari browsing, device plug-in state, and Siri interactions. Each event record contains start and end timestamps, the source bundle ID, and structured metadata specific to the event type.

Forensic Value

knowledgeC.db is one of the most forensically valuable databases on iOS, providing a comprehensive timeline of device usage that spans app foreground time, screen on/off events, device locked/unlocked transitions, and active media playback. App usage records with start and end timestamps reveal exactly which applications were being used at any given time, enabling reconstruction of the user complete device interaction timeline. Lock/unlock events establish when the device was actively in use. This database retains historical data for extended periods and is particularly valuable for establishing device usage patterns and proving that specific apps were actively used at specific times.

Tools Required

Collection Commands

idevicebackup2 backup --full /forensics/ios_backup/

python3 ileapp.py -t tar -i /path/to/backup -o /forensics/output/

python3 apollo.py -o /forensics/output/ -k ios -v knowledgec /path/to/extraction/

Collection Constraints

• •Availability depends on iOS version, device lock state, backup class, and extraction method. Many protected domains require a full filesystem extraction or sysdiagnose rather than a standard backup.
• •Mobile application data may be partially cached, excluded from backup, or pruned by the OS. Validate against the extraction type before treating gaps as meaningful.

MITRE ATT&CK Techniques

References