How to Analyze KnowledgeC.db with Belkasoft X
Introduction
KnowledgeC.db is an SQLite database file that stores records of various activities on Apple devices. Those may include:
- Application usage information: records of what applications were installed and used, along with timestamps, durations, and frequency
- Internet activity: browsing history and search queries
- Call and message history: details such as call and message numbers, timestamps, and call durations
- Device state: information on battery usage, charging and screen lock events, connected devices, display backlight activity, and more
However, the information tracked in the database may vary based on the iOS version, the device model, and the applications used. For instance, starting with iOS 16 and macOS 13, a lot of valuable data that was previously stored in knowledgeC.db is recorded into the Biome database.
KnowledgeC.db typically includes about one month of records, so it is most useful when investigating recent incidents, establishing a timeline of events, or analyzing someone's pattern of life.
In this article, we will examine knowledgeC.db artifacts using Belkasoft X, a specialized digital forensics and incident response tool developed by Belkasoft.
How to analyze knowledgeC.db: Six easy steps
- Acquire an Apple device data
KnowledgeC.db is a part of the iOS/macOS system files, so you can obtain it using full file system acquisition method. You can find a detailed description of the acquisition process in our previous article "KnowledgeC Database Forensics with Belkasoft X".
- Analyze the data source
When the acquisition completes, Belkasoft X prompts you to select the analysis options. KnowledgeC.db does not require specific settings like carving or encryption, so you can proceed with the default iOS analysis profile that already includes the System files artifact type.
- Locate knowledgeC.db artifacts
Belkasoft X analyzes device data and presents it in the Artifacts window. On the Structure tab, expand the System files node and then expand knowledgeC.db. You will find the artifacts split between the Application, Device, and Media usage statistics categories.
- Explore knowledgeC.db artifacts
The database can include the following artifacts:
- "Application activity", "Application in focus", "Application installations", and "Application usage" will show the user's interactions with various apps on the device
- "Safari history" and "Web usage statistics" will display data about the user's browsing activities
- "Battery percentage" and "Device is plugged in" will provide you with the information on when the device was charged and plugged into other devices
- "CarPlay usage" and "Bluetooth connections" can reveal if the device connected to certain cars and Bluetooth devices
- "Audio statistics" provides insights into the audio input and output channels used with the device
- "Media statistics" can tell you about audio and video content played
- Examine knowledgeC.db records
The Grid view in the middle pane displays the knowledgeC.db artifact records. To inspect a record individually, click the required row and examine its details in the Properties pane.
As you work with the artifacts, the Belkasoft X toolset lets you search, filter, bookmark the records, and export them into reports. You can also look up source data in the SQLite viewer or inspect the records in the lightweight Hex Viewer under the Grid view.
- Locate the knowledgeC.db file in the file system
If you want to view or export the database file to run additional queries, right-click its artifact and select Show on File System.
On iOS devices, it is located in the ../private/var/mobile/Library/Coreduet/Knowledge/ directory.
Conclusion
The knowledgeC.db file is a valuable source of information for digital forensics and cyber incident response containing a wide range of records about the device usage, such as app interactions, browsing history, device connections, power status, and more.
Belkasoft X can help you acquire and analyze the knowledgeC.db file. It extracts the database artifacts and provides a convenient toolset for examining the records.