KnowledgeC.db (User Activity Database)

Location

Description

Core Duet SQLite database tracking detailed user activity including application usage with focus duration, device lock/unlock events, Safari browsing activity, media playback, Siri interactions, and battery state. Each event includes precise start and end timestamps and is attributed to specific bundle identifiers.

Forensic Value

KnowledgeC.db provides a comprehensive timeline of user interaction with the system that persists for weeks to months. Application usage entries record which apps were in the foreground and for how long, reconstructing the user activity timeline during a compromise. Device lock/unlock events establish when the system was actively in use. Safari browsing entries in the database complement traditional browser history analysis. This artifact is particularly valuable for insider threat investigations where understanding the complete user activity pattern is critical.

Tools Required

Collection Commands

sqlite3 ~/Library/Application\ Support/Knowledge/knowledgeC.db "SELECT ZOBJECT.ZVALUESTRING, datetime(ZOBJECT.ZCREATIONDATE + 978307200, 'unixepoch') AS creation_date, datetime(ZOBJECT.ZENDDATE + 978307200, 'unixepoch') AS end_date FROM ZOBJECT WHERE ZSTREAMNAME = '/app/usage' ORDER BY creation_date DESC LIMIT 200"

cp ~/Library/Application\ Support/Knowledge/knowledgeC.db /forensics/knowledgec_user.db && sudo cp /var/db/CoreDuet/Knowledge/knowledgeC.db /forensics/knowledgec_system.db

python mac_apt.py -i /path/to/image -o /forensics/output KNOWLEDGEC

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.

MITRE ATT&CK Techniques

References