Wednesday, July 25, 2018

I Know What You Did Last Month: a New Artifact of Execution on macOS 10.13

Kshitij Kumar and Jai Musunuri:

In macOS 10.13 (High Sierra), Apple introduced CoreAnalytics, which is a system diagnostics mechanism that maintains a record of Mach-O programs that have executed on a system over approximately one month. CoreAnalytics can serve a number of valuable analytical purposes for both insider threat investigations and incident response. The artifact can be used to:

  • Determine the extent to which a system was in use, with accuracy up to one day
  • Determine which programs were run on a particular day, whether in the foreground or in the background
  • Determine how long, approximately, a program was running and/or active, as well as provide an approximate number of times the program was launched or brought to the foreground interactively

Update (2018-08-06): Sarah Edwards:

The knowledgeC.db database can be found on macOS and iOS devices. On Mac systems there will be a system context database located in the /private/var/db/CoreDuet/Knowledge directory, while a user context database is located in the user’s ~/Library/Application Support/Knowledge/ directory.


The database has many tables which have many columns. This article will only go over three of these that I have found to be particularly interesting. I encourage you to look at your own data to discover other items of investigative value.

Update (2018-09-14): Sarah Edwards:

This database holds a serious amount of data and it can be easy to get tunnel vision. Think about correlating this data with the location data I’ve presented in other presentations and blog articles. Where was the user when they were looking at a specific app or browsing to a specific website? Were they driving distracted and watching YouTube when they shouldn’t have? If the user was using a specific app during a time of interest, go to that app’s data and look to see if it may contain data relevant to your investigation.

2 Comments RSS · Twitter

Will Notbepublished

Possibly, one more reason not to provide sysdiagnose outputs to Apple Bug Reporter's team when they request them.

This is merely the latest iteration of app analytics that have been present since 10.6.x. There's no privacy angle here. They're talking about on-machine forensic attacks by someone hostile with access to your unlocked Mac. There are myriad other ways to grab or infer portions of what this records scattered throughout the various logs. When this data is uploaded to Apple, it is pretty thoroughly anonymized.

The bottom line is that if a hostile attacker gets ahold of your running Mac, you are toast. CoreAnalytics don't make things any worse.

Leave a Comment