KnowledgeC: Now Playing entries

I know it’s been ages since I’ve posted! I have been settling in with Magnet Forensics and have to say – it’s been an incredible experience so far. I continue to be amazed and inspired by the dedication and skill of the folks who work tirelessly to make Magnet AXIOM and countless other products the absolute best they can be.

I was recently helping out a customer with a question about an iPhone he was examining. He wanted to corroborate the device owner’s story — allegedly he had watched some videos on the device at a certain date and time.

I suggested KnowledgeC “Now Playing” as a reference point and this led down a rabbit hole, namely:

  • Does clearing Safari history impact KnowledgeC.db?
  • Does private browsing affect input into KnowledgeC.db?

Answering these questions should be easy enough with the help of a jailbroken device (which I always keep near these days). I wanted to share my findings with the #DFIR community as there are some interesting things I observed along the way. Sarah Edwards herself noted in her blog series about KnowledgeC that there is more work to be done in terms of validating that the data is as it appears to be. I would say this work today follows down that path.

One other thing to note. My jailbroken device is running iOS 11.4.1 and at the time of writing we are at iOS 13.1.2, so there could be a difference between this and the latest/greatest iOS version. First things first, I went into Safari and visited the first video that popped up on YouTube (do not have the YouTube app installed so it played in browser).

Image result for blippi
I had no idea what ‘Blippi’ was until clicking the first random video that came up on YouTube.com as trending. Lesson learned.

Next, using SFTP I collected KnowledgeC.db from /private/var/mobile/Library/CoreDuet/Knowledge, including shm and wal, and opened DB Browser for SQLite. Next I ran Sarah Edwards’ Now Playing script (APOLLO) and here is what I observed:

So far so good. I’d concur with the data here that I made it through an ad and about 3 seconds of the Blippi video before feeling immense regret end hitting the home button to stop that madness.. By the way, Oct Edge Pre Roll is an Ad, which at some point I skipped… but I’d say 15 seconds is conceivable for how long that all took.

Next, I went back to my JB device and cleared all history through Settings > Safari. I then pulled KnowledgeC and ran the query again. Nothing changed- it was exactly the same as before.

Now things start to take a turn for the weird- I went to another video on Youtube within Safari and once again pulled my KnowledgeC db out:

Image result for hmmm emote

So…..the new video is missing altogether, but even more strangely there is an additional entry of Blippi (note the entry creation is about 5 minutes after the fact) stating a ‘Usage in Seconds’ of 319. (Note that the Usage in Seconds column is actually a computation of ZENDDATE – ZSTARTDATE that Sarah has provided for us.)

A few things we might surmise from this:

  • Even with Safari suspended and history cleared, if I were to lock my screen I suspect it would show my “Now Playing” of the Blippi video. It wasn’t until I went to a different video that it got changed.
  • KnowledgeC writes are not guaranteed to be immediate and definitely do not on their own reflect active viewing time.

I then watched the same video again and once again pulled my KnowledgeC. This time, I got the new entry as expected:

To answer the other question, as to whether or not private browsing makes a difference with respect to KnowledgeC Now Playing records. I then visited more YouTube videos in ‘Private Mode’ on Safari:

They showed up just the same.

One last note. After all of this I did a KnowledgeC-wide query to see what kind of imprint I left beyond the Now Playing results:

And there you have it. I think with /app/inFocus rows it is a much clearer picture of the fact that I did not in fact spend a lot of time watching any one video. The moral of the story here is that KnowledgeC data is indeed amazing, but not without its nuances. You must build your story based on the totality of ALL relevant KnowledgeC records, and avoid dwelling solely on the information derived from a single log type or row.

Leave a Reply

Your email address will not be published. Required fields are marked *

Releated

Analysis of the ABTraceTogether app (iOS)

I decided to have a look at the ABTraceTogether contract tracing app released by the Alberta Government today (May 1 2020) and blog about my findings. There’s potential for conspiracy theories and disinformation to run rampant for an app like this, so I wanted to have a look for myself and see how it actually […]