Using Pattern of Life (APOLLO) for macOS investigation
- Apr 16
- 4 min read
When investigating macOS, one of the most valuable sources of forensic data is the knowledgeC.db database. This database logs a wide range of activities related to application usage, media playback, device status, and user interactions.
-------------------------------------------------------------------------------------------------------------
Application Usage Tracking
Apps Used on macOS
The knowledgeC.db database stores details about application usage, including:
macOS: ~/Library/Application Support/Knowledge/knowledgeC.db
Start and end times of app usage
Bundle ID of the application
Time spent in seconds and minutes
Launch reason
Day of the week
GMT offset
Entry creation timestamp
The Best tool which can help you to extract is mac4n6 /APOLLO
Application Intents
Beyond app usage, knowledgeC.db records contextual data in the form of Intents, which includes:
Start and end times
App name and Bundle ID
Intent verb and action class (i.e., what the app was doing)
Device ID (hardware UUID) for tracking synced activity across iCloud devices
Contact details and contextual information
More granular data stored in serialized plist files, such as direct messaging activity in apps like Twitter
Use Below Query or Tool:
-------------------------------------------------------------------------------------------------------------
Media Tracking: What’s Playing on the Device
Forensic analysis of media playback on macOS is also possible via knowledgeC.db, which logs details like:
Start and end times
Usage duration in seconds
Bundle ID of the media-playing app
Metadata including album, artist, title, and duration
Device output details (e.g., MAC addresses of audio output devices)
Use Below Query or Tool:
-------------------------------------------------------------------------------------------------------------
Device Status Monitoring
Locked and Plugged-In Status
We ca determine when a device was locked and whether it was plugged into power using knowledgeC.db.
Query for Locked device
Query for device plugged in
-------------------------------------------------------------------------------------------------------------
Volume and Battery Level
Using CurrentPowerlog.PLSQL, investigators can track the battery status and volume levels of macOS and iOS devices.
macOS: /private/var/db/powerlog/Library/BatteryLife/ (and /Archives directory)Query for powerlog_battery_level
Query for powerlog_device_volume
-------------------------------------------------------------------------------------------------------------
Call and Camera Status
For those examining call activity or camera usage, Powerlog maintains records of:
Whether the front or rear camera was in use
Ongoing call statuses
macOS: /private/var/db/powerlog/Library/BatteryLife/ (and /Archives directory)Query for powerlog_camera_state
Query for powerlog_incallservice
-------------------------------------------------------------------------------------------------------------
Health Data Tracking
Heart Rate Monitoring
The healthdb_secure.sqlite database, available in an encrypted backup or via a physical device dump, logs heart rate data collected via Apple Watch.
Query for health_heart_rate
Steps and Distance Data
This same database also records step count and distance traveled, which can be useful for understanding movement patterns.
Query for health_distance
Query for health_steps
-------------------------------------------------------------------------------------------------------------
Other Key Data Sources
Passcode Unlock and AirDrop Activity
The Aggregate Dictionary (ADDataStore.db) stores device activity logs for up to a week, including:
Methods used to unlock a device
Changes in passcode settings
AirDrop activity, including files sent
Query for aggregate_dictionary_scalars
Frequent and Significant Locations
Apple devices track Frequent Locations under System Services. These logs store routine location data to assist with features like traffic predictions. While all location data is tracked, only the most frequently visited places appear in the user-facing settings.
Find this setting under: Settings → Privacy → Location Services → System Services → Significant Locations
-------------------------------------------------------------------------------------------------------------
Significant Locations macOS 10.13+
Where is the Data Stored?
macOS 10.13 and newer, significant location data is stored in:
/private/var/folders/.../com.apple.routined/Cache/ (macOS - appears encrypted)
Key Databases
The following databases contain location information:
Cloud[-V2].sqlite – Stores long-term visit records
Cache.sqlite – Holds granular location data for approximately one week
Local.sqlite – Another data store, though its specific purpose may vary
A major change in iOS 11 introduced a new format for storing routine location data, making analysis different from previous versions.
Wi-Fi Location Data (locationd)
Apart from significant locations, macOS also track cellular and Wi-Fi access points. These records can be found in:
Wi-Fi Location Data
Wi-Fi-related data is stored in:
macOS: /private/var/folders/zz/.../cache_encryptedA.dbRetention: ~4 days
Stored Information: Timestamp, MAC address, channel, and location coordinates
Wi-Fi location tracking works in the background, meaning the user does not need to connect to an access point for their device to log nearby Wi-Fi networks.
-------------------------------------------------------------------------------------------------------------
I have given you query one by one above, But thing is you can run APOLLO tool at once and get output lets understand how
-------------------------------------------------------------------------------------------------------------
APOLLO (Apple Pattern of Life Lazy Output’er)
APOLLO is a powerful open-source tool designed to analyze Apple’s pattern-of-life data.
Easy SQL-based analysis for various Apple devices and OS versions
Works with multiple platforms, including iOS, macOS, Android, and Windows
Fast correlation of location data for forensic investigations
📌 GitHub Repository:
First Clone the directory than install simplekml once done run below command
command:
python3 apollo.py extract -o sql -p apple -v 11 -k ./module /
Output:
-------------------------------------------------------------------------------------------------------------
Other Useful Forensic Tools
Apart from APOLLO, several other tools can assist in extracting and analyzing iOS and macOS location data:
iLEAPP (iOS Logs, Events, and Properties Parser) – Open-source tool for iOS forensics (GitHub)
Magnet Axiom – Commercial tool for mobile and computer forensics
Cellebrite Physical Analyzer & Inspector – Industry-standard tools for mobile device analysis
-------------------------------------------------------------------------------------------------------------
Final Thoughts
Understanding Apple’s significant location data and how it is stored can provide critical insights during forensic investigations. With the right tools, investigators can extract granular movement data, identify key locations, and correlate cellular and Wi-Fi records to build a comprehensive timeline of device activity.
As Apple continues to update its security and data encryption methods, forensic experts must stay updated with the latest tools and methodologies to ensure efficient and accurate analysis.
----------------------------------------Dean---------------------------------------------------------
Comments