This post shows some research I did as part of what was going to be a much bigger post that I started a long while ago related to iOS knowledgeC and attempts to show what every item was and meant.

It was a huge task, and one that I never completed. It's also one that has become less relevant over the last year as Apple moved towards the biome files and away from knowledgeC.

But I have been asked a couple of times about this type of data recently so I decided to post all my work here regardless. There are gaps and it's not a complete list, but this is as far as I got and hopefully it will come in useful to someone. I recommend validating most of this before relying on it though.

I may periodically update this document if I learn anything else.

The Data

Select: /app/inFocus /safari/history /app/install /app/intents /app/usage /app/webUsage /audio/outputRoute /audio/inputRoute /carplay/isConnected /device/batteryPercentage /device/isLocked /device/isLockedImputed /device/isPluggedIn /device/lowPowerMode /device/batterySaver /display/isBacklit /display/orientation /keybag/isLocked /media/nowPlaying /photos/share/all /photos/share/airdrop /photos/share/extension /sharesheet/feedback /system/airplaneMode /userInteraction/appDirectory /wifi/connection /mapsShareEta/feedback /settings/doNotDisturb /bluetooth/isConnected /siri/ui /siri/intentEvent /siri/service /notification/usage /dasd/batterytemperature /photos/engagement/0To1Seconds /photos/engagement/1To2Seconds /photos/engagement/2To3Seconds /inferred/focusMode /dasd/widgetRefresh /dasd/widgetView (/widgets/viewed) /user/isFirstBacklightOnAfterWakeup /airplay/prediction /photos/deletes/all /photos/deletes/recent /app/locationActivity /inferred/motion /event/tombstone /charging/smartTopOffEngagement /activity/level /dasd/controlEffort /dasd/activityProfile /system/TLC /photos/deletes/all /photos/deletes/recent /inferred/microLocationVisit

/app/inFocus

This record is created when an application is being viewed on screen. Note that this can also be recorded when an app is shown within another app. For example, when in Messages and other applications can be accessed in order to share content.

The Z_DKAPPLICATIONMETADATAKEY__LAUNCHREASON field of the ZSTRUCTUREDMETADATA table affords more information including the following:

Actual UI Changes:

Backlight Activity:

If the application is launched as part of another app (called an Extension) then you can find the extension and parent application in the fields
Z_DKAPPLICATIONMETADATAKEY__EXTENSIONCONTAININGBUNDLEIDENTIFIER
Z_DKAPPLICATIONMETADATAKEY__EXTENSIONHOSTIDENTIFIER

/safari/history

This record is created when Safari Mobile is used to access a webpage.
The ZSTARTDATE is the time the page was accessed.
The ZVALUESTRING is the URL that was visited.
The ZSTRUCTUREDMETADATA affords more information and may include the following:

/app/install

Note that seconds are ignored on these timestamps and all records will show as zero seconds.

There IS StructuredMetaData associated with this artifact.

This record type is made when an application is installed. The ZVALUESTRING value will give the application name that was installed.

The ZSTRUCTUREDMETADATA affords more information including the following:

/app/intents

An “Intent” is a process used to pass information between two different applications. For example, pressing a link for a phone number in Safari will use an “intent” to start the Phone application and pass the phone number.

Using intents allows the device to maintain security and validate the type of data being passed between applications.

KnowledgeC can save intent data, including full text messages.

The ZVALUESTRING will detail what type of application is being requested by the intent (typically Calls or Messages).

The ZSTRUCTUREDMETADATA affords more information including the following:

The ZSOURCE data may include the details of the third party.

/app/usage - INCOMPLETE RESEARCH

This record type is made when an application loses processor attention. In other words, the application does not need to be active to incur usage.

/app/webUsage

This record is created when iOS is accessing the web.
The ZVALUESTRING is the application that was utilizing the web.
The ZSTRUCTUREDMETADATA affords more information and may include the following:

/audio/outputRoute - INCOMPLETE RESEARCH

This record type is made when the device is utilizing audio.

The ZSTRUCTUREDMETADATA affords more information including the following:

/audio/inputRoute

This record type is made when the device is utilizing audio.

The ZSTRUCTUREDMETADATA affords more information including the following:

/carplay/isConnected

A record of this type is made whenever the device connects or disconnects to a CarPlay system.

If ZVALUEDOUBLE is 1 then the device was locked at the ZSTARTTIME until the ZENDTIME.
If ZVALUEDOUBLE is 0 then the device was unlocked at the ZSTARTTIME until the ZENDTIME.

/device/batteryPercentage

A record of this type is made whenever the device battery indication changes.

If ZVALUEDOUBLE is a reflection of the Battery Percentage being reported to the user.

/device/isLocked

A record of this type is made whenever the device is LOCKED or UNLOCKED with either the user passcode, TouchID or FaceID.
If ZVALUEDOUBLE is 1 then the device was locked at the ZSTARTTIME until the ZENDTIME.
If ZVALUEDOUBLE is 0 then the device was unlocked at the ZSTARTTIME until the ZENDTIME.

/device/isLockedImputed

This is a very similar record to /device/isLocked. “Imputed” means that the value is inferred but it is found to be a duplicate to the isLocked.

A record of this type is made whenever the device is LOCKED or UNLOCKED with either the user passcode, TouchID or FaceID.

If ZVALUEDOUBLE is 1 then the device was locked at the ZSTARTTIME until the ZENDTIME.
If ZVALUEDOUBLE is 0 then the device was unlocked at the ZSTARTTIME until the ZENDTIME.

/device/isPluggedIn

A more appropriate term for this artifact may be “isCharging” as a record of this type is made whenever the device is charging, and this applies equally to being physically plugged in or placed onto a Wireless Charging device.

If ZVALUEDOUBLE is 1 then the device was charging at the ZSTARTTIME until the ZENDTIME.
If ZVALUEDOUBLE is 0 then the device stopped charging at the ZSTARTTIME until the ZENDTIME.

The ZSTRUCTUREDMETADATA affords more information including the following:

/device/lowPowerMode

A record of this type is made whenever the device enters or exits Low Power Mode.

If ZVALUEDOUBLE is 1 then the device was in Low Power Mode at the ZSTARTTIME until the ZENDTIME.
If ZVALUEDOUBLE is 0 then the device was not in Low Power Mode at the ZSTARTTIME until the ZENDTIME.

/device/batterySaver

A record of this type is made whenever the user selects to enter Battery Saver Mode (ie. Low Power Mode).

If ZVALUEDOUBLE is 1 then the device was in Battery Saver Mode at the ZSTARTTIME until the ZENDTIME.
If ZVALUEDOUBLE is 0 then the device was not in Battery Saver Mode at the ZSTARTTIME until the ZENDTIME.

The ZSTRUCTUREDMETADATA affords more information including the following:

/display/isBacklit

A record of this type is made whenever the device backlight illuminates or dims.

If ZVALUEDOUBLE is 1 then the device backlight was illuminated until the ZENDTIME.
If ZVALUEDOUBLE is 0 then the device backlight was off at the ZSTARTTIME until the ZENDTIME.

/display/orientation

A record of this type is made whenever the device orientation change results in a change to the display. This means that simply reorientating the phone while on the home screen will not have any affect. However, if the user is in an app that responds to orientation changes, such as Safari, then a record will be created.

If ZVALUEDOUBLE is 0 then the device was portrait.
If ZVALUEDOUBLE is 1 then the device was landscape.
If ZVALUEDOUBLE is 2 then the device was portrait. The difference here is that this value will only appear at boot up of the device.

/keybag/isLocked

This is a very similar record to /device/isLocked.

A record of this type is made whenever the device is LOCKED or UNLOCKED with either the user passcode, TouchID or FaceID.

If ZVALUEDOUBLE is 1 then the device was locked at the ZSTARTTIME until the ZENDTIME.
If ZVALUEDOUBLE is 0 then the device was unlocked at the ZSTARTTIME until the ZENDTIME.

/media/nowPlaying

This type of artifact is recorded when there is a change in the media playing state. This could be when the media starts playing when it pauses or is closed.

The ZVALUESTRING will detail the application that was playing the media being referenced.
The ZSTARTDATE and ZENDDATE relate to the time the media was in the state being reported.

The ZSTRUCTUREDMETADATA affords more information including the following:

/photos/share/all

This record indicates that a single media item was shared via the Photos App.
Sending multiple items does not create this record.
This record may be accompanied with a secondary record /photos/share/airdrop or /photos/share/extension.

/photos/share/airdrop

This type of artifact is recorded when airdrop is used to send a single media item via airdrop.

It does not matter if the recipient accepts or denies the airdrop. A record will be created on the sending device either way.

Sending multiple items via AirDrop does not create this record.

The ZSTARTTIME & ZENDTIME values are equal to the end of the AirDrop operation.

/photos/share/extension

This records indicates that the image/video was shared to another application such as Messages, WhatsApp, Books etc.

/sharesheet/feedback

The ZSTRUCTUREDMETADATA affords more information including the following:

Note that there may be bplist blobs found in and Z_DKSHARESHEETFEEDBACKMETADATAKEY__MODELSUGGESTIONPROXIES.Z_DKSHARESHEETFEEDBACKMETADATAKEY__ATTACHMENTS These bplists contain the suggested options for the user to share with. For example, it may populate with the contact with whom the user shares things the most. The bplists can not be used to see who did receive the item.

/system/airplaneMode

This artifact is created when AirPlane Mode is enabled or disabled.

The ZSTARTDATE is the time the status changed and the ZENDDATE is when the status changed again.

If ZVALUEDOUBLE is 0 then Airplane Mode is OFF.
If ZVALUEDOUBLE is 1 then Airplane Mode is ON.

/userInteraction/appDirectory

This record type is created when the user enters the AppDirectory.

The ZVALUEDOUBLE appears to be related to activity within the AppDirectory.

0 = Load
4 = Launch App
7 = Search Mode
9 = Close Started
8 = Return to Home Screen

/wifi/connection

This artifact is recorded whenever a WiFi connection is ended.

The ZSTARTDATE refers the to the time that the WiFi Connection was started.
The ZENDDATE refers the to the time that the WiFi Connection was terminated.
The ZVALUESTRING is the SSID of the connected WiFi Network.

/mapsShareEta/feedback

This artifact is recorded whenever the user shares their ETA with another person.

The ZVALUESTRING is the address of the person being sent the eta information (ie.their phone number)

The ZSTRUCTUREDMETADATA affords more information including the following:

This record will be followed up with an AppIntent which includes the location information being shared.

/settings/doNotDisturb

This artifact is recorded whenever the Do Not Disturb status changes.

This could be caused via interaction from the user, the scheduled Do Not Disturb mode or while driving etc.

The ZVALUEDOUBLE is related to the state.

0 = Do Not Disturb is OFF.
1 = Do Not Disturb is ON.

/bluetooth/isConnected

This artifact is recorded whenever a Bluetooth device is connected/disconnected.

The ZVALUEDOUBLE is related to the state.
1 = Connected
0 = Disconnected

The ZSTRUCTUREDMETADATA affords more information including the following:

/siri/ui

This artifact is recorded when Siri User Interface either begins or ends.

The ZVALUESTRING documents if the UI was starting or ending.

/siri/intentEvent

This artifact is an App Intent specific to Siri.

The ZSTRUCTUREDMETADATA affords more information including the following:

/siri/service

This artifact is recorded when Siri User Interface either begins or ends.

The ZSTRUCTUREDMETADATA affords more information including the following:

/notification/usage

This artifact is created whenever a notification is received to the device such as a message.

The ZVALUESTRING value documents how the notification was handled.

The ZSTRUCTUREDMETADATA affords more information including the following:

In some cases, the notification may be followed by an App Intent with relevant content such as the message content.

/dasd/batterytemperature

This artifact appears to be made when the temperature of the batter changes.

The ZVALUEDOUBLE is the battery temperature in milligrade (thousandth of a degree) ie. A value of 3000 would be 30.0 centigrade.

The temperature can be affected by internal factors (such as heavy processor use or battery charging) as well as external factors such as ambient temperature.

/photos/engagement/0To1Seconds

This artifact appears is created when the user views a photo in the photo gallery for between 0 and 1 second.

/photos/engagement/1To2Seconds

This artifact appears is created when the user views a photo in the photo gallery for between 1 and 2 seconds.

/photos/engagement/2To3Seconds

This artifact appears is created when the user views a photo in the photo gallery for between 2 and 3 seconds.

/inferred/focusMode

This artifact is created when the device changes the Focus Mode of the device.

The ZVALUESTRING shows the Focus Mode that has been activated.

Examples include DRIVING, GAMING and DEFAULT.

/dasd/widgetRefresh

This artifact is created when the users’ widgets get updated. This may be as the result of user actions (such as scrolling to the Today View) but can also happen without user activity when the device is unlocked.

The ZVALUESTRING shows the widget that caused the record to be created.

/dasd/widgetView (/widgets/viewed)

This artifact appears to document which widgets were on screen, not necessarily the widgets that were interacted with.

The ZVALUESTRING shows the widget that caused the record to be created.

These records are made en-masse every few minutes rather than at the time that the action occurred. This can be see from the ZCREATIONDATE field.

/user/isFirstBacklightOnAfterWakeup

This is another artifact that documents the backlight status of the screen. It is not as granular as /display/isBacklit as it doesn’t record every on/off event.

The ZVALUEDOUBLE shows the widget that caused the record to be created.

/airplay/prediction - INCOMPLETE RESEARCH

The ZSTRUCTUREDMETADATA affords more information including the following:

/photos/deletes/all

This type of artifact is created when a single photo is deleted from the photo gallery.

• Note that it doesn’t matter if the photo is being viewed and deleted or deleted from the roll gallery view.
• The record is made when the user confirms deletion.
• In this case, “Deletion” refers only to marking the photo for deletion (where it goes to the Recently Deleted folder for 30 days)
• Selecting and deleting multiple records does not create this artifact.

/photos/deletes/recent - INCOMPLETE RESEARCH

/app/locationActivity

This type of artifact is created when Apple Maps is used to search for a location or navigation is being used.

Note

• The locations are the locations of the target of the search and NOT the device.
• Note that the Timestamps ignore seconds, showing 00 for all.

The ZVALUESTRING shows the application responsible for the record.

The ZSTRUCTUREDMETADATA affords more information including the following:

/inferred/motion - INCOMPLETE RESEARCH

/event/tombstone - INCOMPLETE RESEARCH

This record is created when the device runs the tombstone process related to memory management. This is an internal process that does not require user interaction to occur.

The ZSTRUCTUREDMETADATA affords more information including the following:

/charging/smartTopOffEngagement

This record is occurs when the device starts charging when the device is already at or near 100% charge.

/activity/level - INCOMPLETE RESEARCH

This record is created when the type of activity that the device is doing changes.

The ZVALUEDOUBLE relates to the type of activity being performed.

/dasd/controlEffort

This record appears without any activity from the user. DASD stands for Duet Activity Scheduler Daemon which is basically a manager for the scheduling of background tasks.
This occurs just after the device is unplugged

/dasd/activityProfile

This record appears without any activity from the user. DASD stands for Duet Activity Scheduler Daemon which is basically a manager for the scheduling of background tasks.

The ZVALUESTRING is the name of the process, such as com.apple.message.db.vacuum or com.apple.mediaanalysisd.photos.face

/system/TLC - INCOMPLETE RESEARCH

/photos/deletes/all

This record occurs when the user deletes a single photo/video/screenshot from the Photos application. This record will may be paired with a secondary record such as /photos/deletes/recent or /photos/deletes/old.
Note that the record is purged when the photo is deleted from the “Recently Deleted” album.

/photos/deletes/recent

This record occurs when the user deletes a single, recently taken photo/video/screenshot from the Photos application.
Note that the record is purged when the photo is deleted from the “Recently Deleted” album.

/photos/deletes/old

This record occurs when the user deletes a single, old taken photo/video/screenshot from the Photos application. “Old” appears to mean any item that is older than 6 months.
Note that the record is purged when the photo is deleted from the “Recently Deleted” album.

/inferred/microLocationVisit - INCOMPLETE RESEARCH

Wrapping Up

knowledgeC was an extremely useful database with a tonne of information all easily at your fingertips.

Much of the information is still available via the biome files, but it's certainly not as easy to work with.