Biome

Overview

Biome is Apple's next-generation user activity tracking system, introduced in macOS 12 (Monterey) as a successor to aspects of KnowledgeC. Biome records user activity as binary protobuf streams organised by category (app intents, device activity, interactions, etc.). While KnowledgeC uses SQLite, Biome uses a custom binary format based on SEGB (Structured Event Graph Binary) containers with embedded protobuf records.

Biome data coexists with KnowledgeC on modern macOS — some activity is recorded in both systems, while newer activity types are Biome-exclusive.

Forensic Significance

File Locations

Stream Categories

Each subdirectory under streams/ represents a different activity category:

Data Format

SEGB Container

SEGB files contain a header followed by a series of binary records:

1. SEGB header: Magic bytes, version, metadata
2. Record entries: Each containing:
   • Timestamp (absolute or relative)
   • Protobuf payload
   • Record type identifier

Protobuf Records

The protobuf schema varies by stream type. Without Apple's schema definitions, field names must be inferred from values. Common patterns include:

• Field 1: Timestamp (double, Core Data epoch)
• Field 2: Bundle identifier (string)
• Field 3: Activity type or state (enum/integer)

Key Fields for Analysis

List Available Streams

# Enumerate all Biome streams
find ~/Library/Biome/streams -type f -name "*.segb" 2>/dev/null

# Check stream sizes (larger = more data)
du -sh ~/Library/Biome/streams/*/

Parse with Python (basic extraction)

# Basic SEGB reader (simplified)
import struct

def read_segb(path):
    with open(path, 'rb') as f:
        magic = f.read(4)
        if magic != b'SEGB':
            return
        # Skip header
        f.seek(32)
        while True:
            try:
                record_size = struct.unpack('<I', f.read(4))[0]
                if record_size == 0:
                    break
                data = f.read(record_size)
                # data contains protobuf payload
                yield data
            except:
                break

Analysis Notes

• Complementary to KnowledgeC: Biome and KnowledgeC coexist. Always analyse both data sources for a complete activity picture.
• Protobuf challenges: Without official schema definitions, Biome protobuf records require reverse engineering. Tools like protoc --decode_raw can help inspect field structures.
• Safari independence: Biome Safari streams record browsing activity independently of Safari's History.db, providing corroboration or revealing private browsing activity context.
• SEGB parser requirement: Standard forensic tools may not support the SEGB format. Custom parsing is often necessary.
• Retention: Biome streams appear to have variable retention periods depending on the stream type and available storage.
• macOS 12+ only: Biome does not exist on macOS 11 and earlier. Check the OS version before looking for these artifacts.

Version Differences

Tool Support

References

• Biome Research - Yogesh Khatri
• SEGB Format Research
• Apple Biome / KnowledgeC Evolution
• SANS FOR518: Mac and iOS Forensic Analysis