KnowledgeC.db (User Activity Database)

macosUser ActivityDisk Image

Location

~/Library/Application Support/Knowledge/knowledgeC.db and /var/db/CoreDuet/Knowledge/knowledgeC.db

Description

Core Duet SQLite database tracking detailed user activity including application usage with focus duration, device lock/unlock events, Safari browsing activity, media playback, Siri interactions, and battery state. Each event includes precise start and end timestamps and is attributed to specific bundle identifiers.

Forensic Value

KnowledgeC.db provides a comprehensive timeline of user interaction with the system that persists for weeks to months. Application usage entries record which apps were in the foreground and for how long, reconstructing the user activity timeline during a compromise. Device lock/unlock events establish when the system was actively in use. Safari browsing entries in the database complement traditional browser history analysis. This artifact is particularly valuable for insider threat investigations where understanding the complete user activity pattern is critical.

Tools Required

DB Browser for SQLitemac_aptAPOLLO (mac4n6)Crowdstrike UAClog2timeline (Plaso)

Acquisition Methods

External Boot dd Image (Intel Mac)

macos — physical

Target Disk Mode (Intel Mac)

macos — physical

Share Disk (Apple Silicon)

macos — physical

SUMURI Recon ITR Logical Acquisition

macos — logical

Cellebrite Digital Collector (macOS)

macos — logical