KnowledgeC

Investigation
iOS 13
Overview
• Introduction to KnowledgeC.db
• Understanding KnowledgeC.db
• Querying within KnowledgeC.db
Intro to KnowledgeC.db
 What is KnowledgeC?
• KnowledgeC.db is an SQLite database that was introduced in iOS 11 that
tracks lots of different activity on the device ranging from Battery Level and
Bluetooth connections to which speaker is in use and what it is playing at
any given time. Because of the vast amount of data stored, the database is
only stored for a couple of months before it appears to purge records on a
first in/first out basis.
• The database is located
at ~/private/var/mobile/Library/CoreDuet/Knowledge/knowledgeC.db and
is made up of 16 tables.
What is KnowledgeC? (2)
• The knowledgeC database stores an event log of multiple processes that
run within an Apple device ranging from application usage to speaker
output switching. Which is a goldmine for digital forensic investigators.
• The knowledgeC database can become a digital intelligence goldmine as
it opens a window into a phone owner’s actual usage. Investigators can
then take a closer look at application activity that includes when an app
was installed, opened, and all of the spotlight searches performed.
• The purpose behind the KnowledgeC.db in iOS is meant to synchronize
states between apple products.
Kinds of data gathered from
KnowledgeC.db

• These are referred to ZSTREAMNAMES within the database

Understanding KnowledgeC.db
ZSTREAMNAMES & Meanings

ZSTREAMNAME Value Field Description

/device/batteryPercentage ZVALUEDOUBLE This is the battery percentage that the
user is shown.
The Start and End times show how long
the battery was at that level.
/device/isPluggedIn ZVALUEINTEGER Indicates if the device was plugged
or ZVALUEDOUBLE in/charging or not.
0 = unplugged
1 = plugged in
*Note that wireless charging shows as
being "Plugged In".
/displayIsBacklit ZVALUEINTEGER Indicates if the device backlight was lit or
or ZVALUEDOUBLE not.
0 = Backlight off
1 = Backlight on
/device/batteryPercentage
A visualization of the battery percentage that the user is
shown.
The Start and End times show how long the battery was at
that level.
/device/isPluggedIn
Right: A visualization of the device
if it was plugged in/charging or
not.
0 = unplugged
1 = plugged in
*Note that wireless charging
shows as being "Plugged In".
/displayIsBacklit

Indicates if the device backlight was lit or not.

0 = Backlight off (LEFT)
1 = Backlight on (RIGHT)
ZSTREAMNAMES & Meanings (2)

ZSTREAMNAME Value Field Description

/keybag/isLocked ZVALUEINTEGER Indicates if the device keybag was locked
or ZVALUEDOUBLE or not.
0 = Keybag is locked
1 = Keybag is unlocked
/device/isLocked ZVALUEINTEGER Indicates if the device is passcode locked
or ZVALUEDOUBLE or not.
0 = Device is locked
1 = Device is unlocked
/media/nowPlaying ZVALUESTRING ZVALUESTRING records information such
& ZHASSTRUCTUREDMETADATA as if the media is playing from YouTube,
& ZSTRUCTUREDMETADATA Music or Safari etc.
ZHASSTRUCTUREDMETADATA is 1 if more
information is available about this record.
/keybag/isLocked
&
/device/isLocked

What is keybag?
The device keybag is used to store the encryption keys used for operations involving device-specific data.
Since iOS devices are configured for use by a
single user (the default configuration), the device
keybag and the user keybag are one and the
same and are protected by the user’s passcode.

If the device keybag was locked or not.

0 = Keybag is locked
1 = Keybag is unlocked

If the device is passcode locked or not.

0 = Device is locked
1 = Device is unlocked
• /media/nowPlaying
• Indicates information such as if the media is playing from YouTube,
Music or Safari etc.
ZSTREAMNAMES & Meanings (3)
ZSTREAMNAME Value Field Description
/app/activity ZVALUESTRING ZVALUESTRING records which application
& ZHASSTRUCTUREDMETADATA is using resources (not necessarily the
& ZSTRUCTUREDMETADATA app in the foreground)
ZHASSTRUCTUREDMETADATA is 1 if more
information is available about this record.
/app/inFocus ZVALUESTRING ZVALUESTRING = which application is in
& ZHASSTRUCTUREDMETADATA the foreground.
& ZSTRUCTUREDMETADATA ZHASSTRUCTUREDMETADATA is 1 if more
information is available about this record.
/app/intents ZVALUESTRING ZVALUESTRING is the application the
& ZSTRUCTUREDMETADATA phone is preparing.
ZSTRUCTUREDMETADATA shows
metadata ID reference.
METADATA includes data such as the
action the phone is preparing for.
• /app/activity
• Indicates which application(s) is using
resources (not necessarily the app in
the foreground)
• /app/inFocus
• Indicates which
application is in the
foreground (currently
in front of the user).
• /app/intents
• Indicates which
application the
phone is
preparing to
launch. Appears
as a launch
screen for the
user.
ZSTREAMNAMES & Meanings (4)
ZSTREAMNAME Value Field Description

/app/Usage ZVALUESTRING ZVALUESTRING is the app being used.

/audio/outputRoute ZVALUEINTEGER ZVALUEINTEGER is 1 if Audio is playing.

& ZHASSTRUCTUREDMETADATA ZHASSTRUCTUREDMETADATA is 1 if more
& ZSTRUCTUREDMETADATA information is available about this record.
ZSTRUCTUREDMETADATA shows
metadata ID reference.
METADATA includes data such as which
speaker was being used (Internal/
Bluetooth/ USB)

/app/webUsage ZVALUESTRING ZVALUESTRING is the app using the

& ZHASSTRUCTUREDMETADATA internet connection
& ZSTRUCTUREDMETADATA ZHASSTRUCTUREDMETADATA is 1 if more
information is available about this record.
ZSTRUCTUREDMETADATA shows
metadata ID reference.
METADATA includes data such as the URL
being visited.
• /app/Usage
• Indicates which app
is being used by the
user includes
foreground and
background usage.
• /audio/outputRoute
• Indicates data such as
which speaker was being
used (Internal/ Bluetooth/
USB
• /app/webUsage
• Data includes which apps
are using an active internet
connection, metadata may
include visited URL.
ZSTREAMNAMES & Meanings (5)

ZSTREAMNAME Value Field Description

/bluetooth/isConnected ZHASSTRUCTUREDMETADATA ZHASSTRUCTUREDMETADATA is 1 if more
& ZSTRUCTUREDMETADATA information is available about this record.
ZSTRUCTUREDMETADATA shows
metadata ID reference.
METADATA includes data such as the
bluetooth device MAC Address and
Name.
/notification/usage ZVALUESTRING ZVALUESTRING is the type of notification.
& ZHASSTRUCTUREDMETADATA ZHASSTRUCTUREDMETADATA is 1 if more
& ZSTRUCTUREDMETADATA information is available about this record.
ZSTRUCTUREDMETADATA shows
metadata ID reference.
METADATA includes data such as the
application that caused the notification.
• /bluetooth/isConnected
• Indicated as a 0 or 1 if a
Bluetooth device is connected.
Metadata includes Bluetooth
device name & MAC address.
• /notification/usage
• Indicated as a 1 if a
notification was received.
Metadata includes the type
of notification and
application that sent the
notification.
Querying within KnowledgeC.db
Understanding KnowledgeC.db Key
Correlation
• ZOBJECT is the main table within the database and contains the most
records on. Typically, in the tens of thousands or so depending on
usage.
• ZSTRUCTUREDMETADATA table holds additional information about
many of the records in the ZOBJECT table.
• Within the ZSTRUCTUREDMETADATA column the value here is a foreign key
for table ZSTRUCTUREDMETADATA.
Database Location
• Navigate to ~/var/mobile/Library/CoreDuet/Knowledge

• Right click on knowledge.db and open with DB Browser for SQLite

 Database structure

Main table which holds most of the device records

Secondary table which holds additional information

on the entries from ZOBJECT
Querying with SQL
• The ZOBJECT table is massive, with over 21,000 entries. It would be
too time consuming to parse manually.

• We can set up a simple SQL Statement to filter on the most important

columns. Head to Execute SQL tab.
SQL Statement
• SELECT
• datetime(ZOBJECT.ZCREATIONDATE+978307200,'UNIXEPOCH', 'LOCALTIME') as "ENTRY CREATION",
• CASE ZOBJECT.ZSTARTDAYOFWEEK
• WHEN "1" THEN "Sunday" This section converts the MAC absolute time into
• WHEN "2" THEN "Monday" a human time, creates the ENTRY CREATION
• WHEN "3" THEN "Tuesday"
column, and converts the ZSTARTDAYOFWEEK
• WHEN "4" THEN "Wednesday"
• WHEN "5" THEN "Thursday"
column from numbers to weekdays.
• WHEN "6" THEN "Friday"
• WHEN "7" THEN "Saturday"
• END "DAY OF WEEK",
• ZOBJECT.ZSECONDSFROMGMT/3600 AS "GMT OFFSET",
This section creates the GMT OFFSET, START, END, &
• USAGE IN SECONDS columns as well as converting
datetime(ZOBJECT.ZSTARTDATE+978307200,'UNIXEPOCH', 'LOCALTIME') as "START",
• the MAC absolute time into a human time.
datetime(ZOBJECT.ZENDDATE+978307200,'UNIXEPOCH', 'LOCALTIME') as "END",
• (ZOBJECT.ZENDDATE-ZOBJECT.ZSTARTDATE) as "USAGE IN SECONDS",
• ZOBJECT.ZSTREAMNAME, This section pulls the columns ZSTREAMNAME &
• ZOBJECT.ZVALUESTRING ZVALUESTRING from the ZOBJECT Table and only
• FROM ZOBJECT shows the ZSTREAMNAME that matches
• WHERE ZSTREAMNAME IS "/app/inFocus"
“/app/inFocus” as well as puts it in order from
• ORDER BY "START"
beginning.
• Copy and Paste the SQL
Statement from the previous
slide into the 1st line and hit
the Play button.
• Upon successful
execution a
smaller, more
digestible table
will show.
• We can
determine
converted
timestamps,
ZSTREAM type
and
ZVALUESTRINGS
 ZSTREAMNAME which

A closer look…
reflects what application
Usage in seconds was in focus (on screen)
(end timestamp –
ZVALUESTRING
Day of the week Start and End timestamp start timestamp)
which reflects
Timestamp when and offset from
the bundle id of
entry was created, GMT
the application
always matches end on screen
time.

• This table shows us

a list from the start
of which
applications were
used and for how
long.
• To modify this simple
statement - just enter Modifying the Statemen
the ZSTREAMNAME for
the category you want
to investigate.
• For instance, this is
statement is setup to
show only entries that
reflect the
ZSTREAMNAME
“app/inFocus”
• If we wanted to see app
usage, we would edit
line 19 to reflect
“app/usage”
• Here we can see the
ZSTREAMNAME is
now only displaying
“/app/usage”

• With a simple edit

we can point the SQL
to different Stream
types.

• Next, change line 19

”app/usage” to
”media/nowPlaying”
• Here we can see what
app was playing some
kind of
music/sound/video etc.
• We can tell from the
data the user was
listening to podcasts
on Wednesday
3/25/2020
Advanced SQL Statement
• SELECT
• datetime(ZOBJECT.ZCREATIONDATE+978307200,'UNIXEPOCH', 'LOCALTIME') as "ENTRY CREATION",
• ZOBJECT.ZSECONDSFROMGMT/3600 AS "GMT OFFSET",
• CASE ZOBJECT.ZSTARTDAYOFWEEK This section converts the MAC absolute time into
• WHEN "1" THEN "Sunday"
• WHEN "2" THEN "Monday" a human time, creates the ENTRY CREATION
• WHEN "3" THEN "Tuesday" column, and converts the ZSTARTDAYOFWEEK
• WHEN "4" THEN "Wednesday"
column from numbers to weekdays.
• WHEN "5" THEN "Thursday"
• WHEN "6" THEN "Friday"
• WHEN "7" THEN "Saturday"
• END "DAY OF WEEK",
• datetime(ZOBJECT.ZSTARTDATE+978307200,'UNIXEPOCH', 'LOCALTIME') as "START",
This section creates the, START, END, & USAGE
• datetime(ZOBJECT.ZENDDATE+978307200,'UNIXEPOCH', 'LOCALTIME') as "END", IN SECONDS columns as well as converting the
• (ZOBJECT.ZENDDATE-ZOBJECT.ZSTARTDATE) as "USAGE IN SECONDS", MAC absolute time into a human time.
• ZOBJECT.ZSTREAMNAME,
• ZOBJECT.ZVALUESTRING,
This section creates the ACTIVITY TYPE,
• ZSTRUCTUREDMETADATA.Z_DKAPPLICATIONACTIVITYMETADATAKEY__ACTIVITYTYPE AS "ACTIVITY TYPE", ACTIVITY STRING and EXPIRATION DATE
• columns as well as converting the MAC
ZSTRUCTUREDMETADATA.Z_DKAPPLICATIONACTIVITYMETADATAKEY__USERACTIVITYREQUIREDSTRING as "ACTIVITY STRING",
• datetime (ZSTRUCTUREDMETADATA.Z_DKAPPLICATIONACTIVITYMETADATAKEY__EXPIRATIONDATE+978307200,'UNIXEPOCH', 'LOCALTIME') as "EXPIRATION DATE"
• FROM ZOBJECT
absolute time into a human time.
• left join ZSTRUCTUREDMETADATA on ZOBJECT.ZSTRUCTUREDMETADATA = ZSTRUCTUREDMETADATA.Z_PK This section performs a “left join” on the
• WHERE ZSTREAMNAME is "/app/activity"
• ORDER BY "START"
ZSTRUCTUREDMETADATA table into the
ZOBJECT table which matches the primary
keys and foreign keys
• Copy and Paste the SQL
Statement from the previous
slide into the 1st line and hit
the Play button.
• Upon successful
execution a slightly
larger table than
before will show.
• Since this statement
merges the
ZSTRUCTUREDMETADA
TA table into the
ZOBJECT table we will
be able to attach the
extra metadata stored
in
ZSTRUCTUREDMETADA
TA to the entries in
ZOBJECT.
A closer look..
• Similar to the previous statement, this new statement adds 3 new columns of metadata, Activity Type,
Activity String and Expiration Date.

• We can gather extra data from these columns which is useful for an investigation.
Conclusion
• KnowledgeC is a powerful and informative database which logs the
user's activity on their device.
• It can be a goldmine for forensic investigators as it can create a
timeline as to what was in use and when.