Forensic Analysis

knowledgeC.db — Phone Activity Data

3,732 records Feb 12 – Oct 11, 2017 iOS knowledgeC (Apple CoreData) Timezone: UTC-5 (EST)
01 Overview

This database is an Apple knowledgeC.db file — an iOS system database that silently logs device activity including app usage, screen state, battery levels, and lock/unlock events. Here's what it contains.

Total Records
3,732
App Sessions
346
Foreground app events
Screen Events
690
Screen on/off cycles
Battery Readings
481
Lock/Unlock
267
Active Days
9
With recorded usage
02 App Usage

Total time each app spent in the foreground (actively on screen). The app mix — Snapchat, Instagram, Musical.ly, Candy Crush, a school portal (Skyward), Houseparty — is consistent with a teenager's phone circa early 2017.

03 Daily Timeline

Activity is concentrated into just a handful of days. The large gaps in between — especially the 194-day silence from February to September — are notable.

04 Hourly Activity Pattern

When the phone was actively being used, by hour of day (local time, EST/UTC-5). Usage peaks in the early afternoon and late evening — consistent with a school-age user.

05 Battery Behavior

Battery percentage over time for the two periods with dense data. Charging events (plugged in) are shown in green. The February data looks normal. October 11 is where it gets strange.

February 12–13, 2017 (local time)
October 11, 2017 — Dual Battery Streams (local time)
06 Anomaly Assessment

Every database artifact examined for inconsistencies. Each finding is rated by severity. One significant anomaly was identified.

High — Significant Anomaly
Dual Simultaneous Battery Streams
On October 11, the database records two parallel battery percentage readings running at the same timestamps. Stream A climbs from 34% → 42%. Stream B climbs from 3% → 23%. A single phone cannot report two battery levels at once. This likely indicates data merged from two devices (backup/restore), an iOS upgrade artifact, or an extraction error.
17:46 UTC Stream A: 35% Stream B: 3% 17:49 UTC Stream A: 36% Stream B: 6% 17:52 UTC Stream A: 38% Stream B: 9% 17:55 UTC Stream A: 40% Stream B: 12% 17:59 UTC Stream A: 42% Stream B: 16%
Medium — Notable
194-Day Data Gap
No data exists between Feb 23 and Sep 5, 2017 — a gap of nearly 194 days. This could mean the phone was powered off, factory reset, the database was pruned by iOS, or the forensic extraction only captured partial data. Two additional gaps of 1.7 and 2.8 days exist within the February window.
Medium — Notable
14 Zero-Duration App Sessions
14 app events were logged as "in focus" for exactly 0 seconds. Most are iMessage (notification taps). Three occur in rapid succession on Feb 20 at 2:37 PM local time — PhotoMath, Subway Surfers, Color Switch — consistent with quickly swiping through the app switcher. Not necessarily suspicious, but unusual to see this many.
Low — Expected Behavior
Screen On While Locked (5 events)
Five instances where the screen was illuminated while the device was locked, lasting 30–68 seconds each. This is normal — lock screen notifications, incoming calls, and Siri activation all cause this.
Low — Expected Behavior
Small Battery Gain Without Charging
On Feb 15, battery rose from 53% → 56% over 28 minutes while reportedly unplugged. This is within normal battery calibration drift and is not meaningful.
Clear — No Issues
No Overlapping App Sessions
No instances of two different apps reported as "in focus" at the same time. App transitions are clean and sequential.
Clear — No Issues
No Negative Durations
No events where the end timestamp precedes the start timestamp. All duration calculations are valid.
Clear — No Issues
No Duplicate Primary Keys
Database structural integrity is intact. No duplicate records, no orphaned child entries without parents, no evidence of manual row insertion or editing.
07 What Is This Database?

knowledgeC.db is a Core Data–backed SQLite database maintained by Apple's "Knowledge" system daemon on iOS and macOS. It silently records device usage events — which app is in the foreground, screen on/off state, battery level, charging status, lock state, audio routing, Siri usage, and media playback. The data is stored with Apple Core Data timestamps (seconds since January 1, 2001 00:00:00 UTC). This database is commonly extracted during forensic examinations of Apple devices and is a standard artifact in mobile forensics toolkits. All times in this analysis have been converted to local time (UTC-5 / Eastern Standard Time) unless otherwise noted.

Analysis generated from knowledgeC.db · 3,732 records · Feb–Oct 2017