User Activity
KnowledgeC
Overview
KnowledgeC (also known as the CoreDuet knowledge store) is a SQLite database that tracks extensive user activity on macOS. Introduced with macOS10.13 and expanded significantly since, it records application usage, device activity states, media playback, Safari browsing, and much more. It is one of the most forensically valuable artifacts on macOS.
This article is under development. Comprehensive KnowledgeC forensic analysis documentation is coming soon.
Key Forensic Areas
- Application usage: Which apps were in focus and for how long
- Device state: Locked/unlocked, plugged in/on battery, display on/off
- Safari history: Browsing activity independent of Safari's own database
- Media playback: Now Playing information (artist, title, duration)
- Intents: Siri and Shortcuts interactions
- Location: Significant location visits (if enabled)
File Locations
| File | Path | Description |
|---|---|---|
| KnowledgeC.db | ~/Library/Application Support/Knowledge/knowledgeC.db | Main knowledge store |
| CoreDuet | /private/var/db/CoreDuet/Knowledge/knowledgeC.db | System-level knowledge store |
Key Tables
| Table | Description |
|---|---|
ZOBJECT | Primary event store with all activity records |
ZSOURCE | Event source/stream type definitions |
ZSTRUCTUREDMETADATA | Structured metadata for events |