KnowledgeC.db
CoreDuet database that logs per-user application focus, device lock/unlock, USB attach, battery, Bluetooth pairing, and Siri events — a macOS/iOS timeline goldmine.
Where to find it
Default filesystem paths and registry locations. Collect these with your preferred live-response or disk-image tooling.
- $~/Library/Application Support/Knowledge/knowledgeC.db
- $/private/var/mobile/Library/CoreDuet/Knowledge/knowledgeC.db (iOS)
Forensic significance
Common scenarios in which this artifact becomes decisive evidence.
- Per-app usage time reconstruction for acceptable-use violations
- Proving device was active during an alibi window
- Correlating USB insertion with application activity
- Pattern-of-life analysis for mobile investigations
MITRE ATT&CK mapping
Techniques this artifact can help detect or substantiate. Click a technique to view the official MITRE entry.
Tools that parse it
unJaena AI and other DFIR tools commonly used to extract evidence from this artifact.
Related artifacts
TCC Database
Transparency, Consent, and Control SQLite database recording which applications were granted access to camera, microphone, contacts, photos, screen recording, and full-disk access.
FSEvents
Per-volume filesystem change journal. Records creation, deletion, rename, and ownership changes for every file — the macOS analogue of USN journal.
RecentDocs
Explorer tracks recently opened files per extension in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs, including files on removed storage.
LaunchServices Quarantine Events
Per-user SQLite log of every file downloaded through a quarantine-aware application (Safari, Chrome, Mail, AirDrop) with source URL and user agent.
References & further reading
Stop parsing artifacts by hand
unJaena AI ingests disk images, live-response output, and mobile backups, then automatically correlates every artifact on this page — and 200+ more — into an investigator-ready timeline.
Try unJaena AI →