Network Usage Statistics (netusage.sqlite)
Location
private/var/networkd/netusage.sqliteDescription
SQLite database maintained by the networkd daemon tracking network route and interface usage statistics. Records data transfer volumes per network route, connection timestamps, network interface types (Wi-Fi, cellular, VPN), and associated process identifiers. Provides lower-level network usage tracking than DataUsage.sqlite with route-specific detail.
Forensic Value
The netusage database provides network connection detail at the route level, revealing which network destinations each application communicated with and over which interface type. VPN tunnel usage recorded in this database identifies when VPN connections were active and how much data traversed them. Route-specific data volumes can identify communication with specific network endpoints. The combination of process identifiers, interface types, and timestamps enables reconstruction of which apps used the network, when, and over what type of connection. This artifact is particularly valuable for identifying covert communication channels and data exfiltration that may not be visible in higher-level usage databases.