Using the following tiny SQLite query, I can see what “types” of entries I’m dealing with. Taking a look at ZOBJECT, you’ll see that entries appear to have a “type” associated in the ZSTREAMNAME column. ZSTRUCTUREDMETADATA – Additional metadata associated with ZOBJECT entries.ZSOURCE – Source of the ZOBJECT entries.Other tables that ZOBJECT entries may reference are located in these tables: I will use this table as my primary table of analysis and add on other tables as needed throughout this article. ZOBJECT – Contains potentially thousands of usage entries for approximately 4 weeks.
Timestamps in this database use the Mac Epoch time ( 00:00:00 UTC). I encourage you to look at your own data to discover other items of investigative value. This article will only go over three of these that I have found to be particularly interesting. The database has many tables which have many columns. I have not seen it in iTunes-style backups. (Note: Others may exist for other applications, they are not covered here but follow a similar database schema.) It is worth noting that this database only appears to be available on a physical acquisitions and/or jailbroken iOS devices. On iOS there is only one main knowledgeC.db database located in /private/var/mobile/Library/CoreDuet/Knowledge/ that appears to merge the contents of the user and system context databases found on macOS. A note about iOS 10 database is at the end of this article. Other versions may contain the same data but the schemas/contents may be slightly different. *Update 08/7/18: The data in this article is specific to macOS 10.13 and iOS 11. On Mac systems there will be a system context database located in the /private/var/db/CoreDuet/Knowledge directory, while a user context database is located in the user’s ~/Library/Application Support/Knowledge/ directory. The knowledgeC.db database can be found on macOS and iOS devices. How often are they chatting? Who are they chatting with?.How often do they check their email? What led them to click on a specific email and infect themselves?.Where did they ask for directions? Are they driving distracted?.What websites did they visit? Are they doing research and putting this information into another application?.What applications did a particular user use? How often do they use this application? How long are they using this application for?.We can use some of these records to help answer a myriad of investigative questions or just about any type of investigation. I've done fairly extensive research on this previously on iOS (much of which can be used for macOS as well) but have yet to really dive into this database. I find that pattern-of-life data is some of the most useful information on a device - it really does tell the story about a user and their devices. Having access to precise and granular user and application usage can be extremely useful in a forensic investigation, some of which are listed here.