Daily Blog #692: Sunday Funday 5/3/20 - KnowledgeC on iOS Challenge

Hello Reader,
              Another week of fun and challenges! I'm really enjoying seeing all of you get into this and hope I find more time this week myself to do more testing. Let's face it most of us are still at home, so why not turn some of your downtime into DFIR research time! This week we move over to MacOS aka OSX.

The Prize:

$100 Amazon Giftcard
An apperance on the following week's Forensic Lunch!

The Rules:

1. You must post your answer before Friday 5/9/20 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful
6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
KnowledgeC on iOS is a jam packed knowledge resource, but on OSX it seems to be less used. 
1. What does each table in the KnowledgeC database correspond to activity wise
2. What data is logged  in each table
3. What data is not logged
4. Is there a similar datasource that would fill in the gaps?

Also Read: Daily Blog #691 

Read More

Daily Blog #680: Apple Unified Audit Logging

Hey Reader,
           Today I didn't have the time I needed to get a test kitchen done so I decided to take this opportunity to point you towards another great blog you should be reading with a different focus.

Sarah Edwards over at the Mac4n6 blog has started a series on the apple unified audit logging. If you have not been diving deep in your MacOS/Osx/Whatever they call it now analysis by looking into the data that unified audit logs provide your missing out.

Many examiners look at MacOS as a BSD operating system and just look at syslog, forgetting that there is a whole scaffold of another OS layered on top with its own logging. Apple's Unified Audit Logging is a moving target as they are notoriously not backwards compatible, I mean who else force upgrades file systems?

So do yourself a favor and check out Sarah's blog below:

https://www.mac4n6.com/blog/2020/4/19/introducing-analysis-of-apple-unified-logs-quarantine-edition-entry-0

Also Read: Daily Blog #679

Read More

Daily Blog #642: Solution Saturday 3/9/19 - Winner of OSX Mojave Challenge

Hello Reader,

         I love weeks when we get to crown new winners. Tun is not new DFIR, you may have seen his tweets before, but he is new to the Sunday Funday winners circle. Tun did some great testing which he documented below specifically for OSX. Give his work a look and join me on congratulating Tun on his win!

The Challenge:

On OSX Mojave, what information can you determine from the KnowledgeC database?

The Winning Answer:

Tun Naung 

Sarah Edwards has done quite an extensive research on the knowledge database and wrote a few posts on her blog mac4n6.com.  I have never used a Mac before and this is a good opportunity to learn Mac forensics. So, I decided to take the challenge and installed a macOS Mojave in Virtual Box. As a beginner I simply follow the same testing that Sarah did on macOS 10.13 to see the output of macOS 10.14 Mojave.

On macOS 10.14 Mojave, the knowledgeC.db database is found in the same locations as the previous version, macOS 10.13.

/private/var/db/CoreDuet/Knowledge – system context database

~/Library/Application Support/Knowledge – user context database

adams-iMac:~ adam$ sw_vers ProductName: Mac OS X ProductVersion: 10.14

BuildVersion: 18A391

adams-iMac:Knowledge adam$ pwd

/private/var/db/CoreDuet/Knowledge adams-iMac:Knowledge adam$ ls -l total 6120

-rw------- 1 root wheel 774144 Mar 8 04:25 knowledgeC.db

-rw------- 1 root wheel 32768 Mar 8 04:25 knowledgeC.db-shm

-rw------- 1 root wheel 2323712 Mar 8 05:23 knowledgeC.db-wal

adams-iMac:knowledge adam$ pwd

/Users/adam/Library/Application Support/knowledge

adams-iMac:knowledge adam$ ls -l total 1008

-rw------- 1 adam staff 425984 Mar 8 04:28 knowledgeC.db

-rw------- 1 adam staff 32768 Mar 8 04:28 knowledgeC.db-shm

-rw------- 1 adam staff 53592 Mar 8 04:38 knowledgeC.db-wal

From this database, we can get the information about

Application Usage

• 
  

Application Activities

• 
  

Safari Browser History

• 
  

Using the DB Browser for SQLite, we can open the knowledgeC.db database and look at the structure. The database has many tables with many columns.

Note: timestamps in this database use the Mac Epoch time (01/01/2001 00:00:00 UTC).

Figure 1: Database structure of the knowledgeC.db, both system and user context database have 16 tables

Three tables are of particular interest and they store the information which is useful and valuable for an investigator.

ZOBJECT – contains usage entries (Sarah mentioned four weeks, but I could not test as my mac has been running for a week or two only)

• 
  

ZSOURCE – source of ZOBJECT entries

• 
  

ZSTRUCTUREDMETADATA – additional metadata associated with ZOBJECT entries

• 
  

By running the SQLite query on the system context knowledgeC.db database, we get the following

“types”:

SELECT

DISTINCT ZOBJECT.ZSTREAMNAME

FROM ZOBJECT

ORDER BY ZSTREAMNAME

/activity/level

• 
  

/app/activity

• 
  

/app/inFocus

• 
  

/app/usage

• 
  

/display/isBacklit

• 
  

/safari/history

• 
  

For application usage information, we can run the SQLite query below where “/app/inFocus” type will provide what application is being used at a given time.

SELECT

datetime(ZOBJECT.ZCREATIONDATE+978307200,'UNIXEPOCH','LOCALTIME') as "ENTRY CREATION", CASE ZOBJECT.ZSTARTDAYOFWEEK

WHEN "1" THEN "SUNDAY" WHEN "2" THEN "MONDAY" WHEN "3" THEN "TUESDAY" WHEN "4" THEN "WEDNESDAY" WHEN "5" THEN "THURSDAY" WHEN "6" THEN "FRIDAY" WHEN "7" THEN "SATURDAY"

END "DAY OF WEEK", ZOBJECT.ZSECONDSFROMGMT/3600 AS "GMT OFFSET",

datetime(ZOBJECT.ZSTARTDATE+978307200,'UNIXEPOCH','LOCALTIME')    AS    "START", datetime(ZOBJECT.ZENDDATE+978307200,'UNIXEPOCH','LOCALTIME')   AS    "END", (ZOBJECT.ZENDDATE-ZOBJECT.ZSTARTDATE) AS "USAGE IN SECONDS", ZOBJECT.ZSTREAMNAME,

ZOBJECT.ZVALUESTRING FROM ZOBJECT

WHERE ZSTREAMNAME IS "/app/inFocus" ORDER BY "START"

-- Result: 697 rows returned in 145ms

Figure 2: Snapshot of the result of SQLite query which show the application usage

Note: the application usage is only for GUI-based applications. User attribution is an issue as this data is from system context database on macOS.

For application activities, we can use “/app/activity” stream type to add more context.

SELECT

datetime(ZOBJECT.ZCREATIONDATE+978307200,'UNIXEPOCH','LOCALTIME') as "ENTRY CREATION", ZOBJECT.ZSECONDSFROMGMT/3600 AS "GMT OFFSET",

CASE ZOBJECT.ZSTARTDAYOFWEEK WHEN "1" THEN "SUNDAY" WHEN "2" THEN "MONDAY" WHEN "3" THEN "TUESDAY" WHEN "4" THEN "WEDNESDAY" WHEN "5" THEN "THURSDAY" WHEN "6" THEN "FRIDAY" WHEN "7" THEN "SATURDAY"

END "DAY OF WEEK", datetime(ZOBJECT.ZSTARTDATE+978307200,'UNIXEPOCH','LOCALTIME')    AS    "START", datetime(ZOBJECT.ZENDDATE+978307200,'UNIXEPOCH','LOCALTIME')   AS    "END", (ZOBJECT.ZENDDATE-ZOBJECT.ZSTARTDATE) AS "USAGE IN SECONDS",

ZOBJECT.ZSTREAMNAME,

ZOBJECT.ZVALUESTRING,

ZSTRUCTUREDMETADATA.Z_DKAPPLICATIONACTIVITYMETADATAKEY   ACTIVITYTYPE AS "ACTIVITY TYPE",

ZSTRUCTUREDMETADATA.Z_DKAPPLICATIONACTIVITYMETADATAKEY   TITLE AS "TITLE",

ZSTRUCTUREDMETADATA.Z_DKAPPLICATIONACTIVITYMETADATAKEY  USERACTIVITYREQUIREDSTRI NG AS "ACTIVITY STRING",

datetime(ZSTRUCTUREDMETADATA.Z_DKAPPLICATIONACTIVITYMETADATAKEY  EXPIRATIONDATE+9 78307200,'UNIXEPOCH','LOCALTIME') AS "EXPIRATION DATE"

FROM ZOBJECT

LEFT JOIN ZSTRUCTUREDMETADATA on ZOBJECT.ZSTRUCTUREDMETADATA=ZSTRUCTUREDMETADATA.Z_PK

WHERE ZSTREAMNAME IS "/app/activity" or ZSTREAMNAME is "/app/inFocus" ORDER BY "START"

-- Result: 754 rows returned in 207ms

Figure 3: Snapshot of the result of the SQLite query which show more context to the application activity

Even though I did edited the note, activity type data is not populated. Further testing is required for this.

Note: ZSTRUCTUREDMETADATA table has more than 100 columns which is worth looking into to see what data the apps are populating in this table.

For Safari history information, we can run the same query as the previous queries.

SELECT

datetime(ZOBJECT.ZCREATIONDATE+978307200,'UNIXEPOCH','LOCALTIME') as "ENTRY CREATION", CASE ZOBJECT.ZSTARTDAYOFWEEK

WHEN "1" THEN "SUNDAY"

WHEN "2" THEN "MONDAY" WHEN "3" THEN "TUESDAY" WHEN "4" THEN "WEDNESDAY" WHEN "5" THEN "THURSDAY" WHEN "6" THEN "FRIDAY" WHEN "7" THEN "SATURDAY"

END "DAY OF WEEK", ZOBJECT.ZSECONDSFROMGMT/3600 AS "GMT OFFSET",

datetime(ZOBJECT.ZSTARTDATE+978307200,'UNIXEPOCH','LOCALTIME')    AS    "START", datetime(ZOBJECT.ZENDDATE+978307200,'UNIXEPOCH','LOCALTIME')   AS    "END", (ZOBJECT.ZENDDATE-ZOBJECT.ZSTARTDATE) AS "USAGE IN SECONDS", ZOBJECT.ZSTREAMNAME,

ZOBJECT.ZVALUESTRING FROM ZOBJECT

WHERE ZSTREAMNAME IS "/safari/history" ORDER BY "START"

-- Result: 57 rows returned in 28ms

Figure 4: Snapshot of the results of the SQLite query which shows the Safari history

Note: if the user clears the browsing history, these entries get removed too. Private Mode browsing does not show up either.

For user correlation, we can run the SQLite query on the user context knowledgeC.db database.

SELECT

DISTINCT ZOBJECT.ZSTREAMNAME FROM ZOBJECT

ORDER BY ZSTREAMNAME

/event/tombstone

• 
  

/portrait/entity

• 
  

/portrait/topic

• 
  

There are a lot more testing to be done as this database contains a lot of information.

- Knowledge is power -

Credits:

https://www.mac4n6.com/blog/2018/8/5/knowledge-is-power-using-the-knowledgecdb-database-  on-macos-and-ios-to-determine-precise-user-and-application-usage

https://sqlitebrowser.org/

https://www.hecfblog.com/2019/03/daily-blog-636-sunday-funday-3319.html

Also Read: Daily Blog #641

Read More