When reviewing Biome and KnowledgeC artifacts in iOS Forensics there are often references to stream names for events. There is a plist file that seems to provide a little more information about these stream names including descriptions and some precision and rate limit values. It can be found at:
/System/Library/PrivateFrameworks/CoreDuet.framework/com.apple.coreduet.systemevents.plist
The below table is taken from the above file on an iOS 18.5 device. This file may assist in confirming how accurate the time records are that are stored in the respective artifact when any of these stream names are referenced. For example it appears that there are default values and certain streams can override these values. For example the default Timestamp Precision is 60 seconds. There are also rate limit values which may delay the number of records that will be recorded if they are happening too frequently. For example streams like /app/inFocus and /app/usage will only record 30 events within 60 seconds, if it were possible to flip between apps more quickly than once every 2 seconds, based on this table it may be possible to skip the recording of some events and might just be something to keep in mind. I have not yet tested any of these values yet, these comments are taken literally from the plist’s human-readable descriptions. I plan on testing this soon and I will update this article with results when I do.
| KnowledgeBaseEventName | EventFormattedName | EventDescription | IsHistorical | RateLimitCount | ShouldSaveCurrentEventOnShutdown | TimestampPrecisionInSeconds | RateLimitPeriodInSeconds |
|---|---|---|---|---|---|---|---|
| Default | True | 20 | False | 60 | 60 | ||
| /keybag/isLocked | Keybag Lock State | Event capturing whether or not the keybag is locked. | True | 4 | |||
| /safari/history | Safari History | Event capturing Safari browsing history. | 1000 | 5 | 1200 | ||
| /sharesheet/feedback | Share Sheet Feedback | Event capturing feedback of share sheet suggestions. | 1 | ||||
| /sharesheet/suggestLessFeedback | Share Sheet Suggest Less Feedback | Event capturing feedback of share sheet suggestions that the user wants to be shown less of. | 1 | ||||
| /peopleSuggester/siriNl | PeopleSuggesterOutputForSiriNL Stream | Event capturing feedback of people suggester scores invoked along with Siri | 1 | ||||
| /gameCenterSuggestions/feedback | Game Center Suggestions Feedback | Event capturing Game Center Suggestions Feedback | 1 | ||||
| /app/webUsage | App Web Usage | Event capturing granular web usage within an app. | 1 | ||||
| /app/mediaUsage | App Media Usage | Event capturing granular media (video) usage within an app. | 1 | ||||
| /notification/usage | Notification Usage | Event capturing lock screen, banner, or history notification usage. | 1 | ||||
| /inferred/focusMode | Focus Mode | The focus mode the user is in such as driving, exercising, and more. | 1 | ||||
| /app/install | App Install | Event capturing App installs and uninstalls. Includes the name, category, and genre. | 30 | ||||
| /app/inFocus | Focal App | Event capturing an Applications transition to focal application state. Includes bundle identifier and reason for transition. | 30 | True | 1 | ||
| /app/usage | App Usage | Event capturing the usage of an application. | 30 | True | 1 | ||
| /app/intents | App Intents | Events capturing active application intents. | 30 | 1 | |||
| /portrait/topic | Portrait Topic Impression | Event capturing topical impressions. | 30 | 1 | |||
| /portrait/entity | Portrait Entity Impression | Event capturing entity impressions. | 500 | 1 | 600 | ||
| /media/nowPlaying | Now Playing State | Event capturing “now playing” state. | 1 | ||||
| /device/isLocked | Screen Lock State | Event capturing whether or not the screen is locked | True | 1 | |||
| /device/isLockedImputed | Screen Lock State (Imputed) | Event capturing whether or not the screen is locked, with imputed events | True | 1 | |||
| /device/isPluggedIn | Charger Plugged In State | Event capturing whether or not the device has charger plugged in. | 1 | ||||
| /audio/inputRoute | External Audio Device Input Type | Event capturing addition or removal of audio input route. Includes the type, name, and identifier of the route. | True | 1 | |||
| /audio/outputRoute | External Audio Device Output Type | Event capturing addition or removal of audio output route. Includes the type, name, and identifier of the route. | True | 1 | |||
| /airplay/prediction | Airplay Prediction Feedback | Event capturing different feedback from airplay prediction. | 1 | ||||
| /inferred/motion | Motion State | Event capturing motion state category. Included categories are walking, stationary, running, cycling, automotive, and automotive stationary. | True | 1 | |||
| /inferred/locationVisit | Location Visit | Event capturing location visit. | False | 30 | 10 | ||
| MDCS Workout | Event capturing MDCS Workout context. | False | |||||
| /inferred/microLocationVisit | Microlocation Visit | Event capturing a MicroLocation event, which represents room-level position in a home. | 10 | 1 | 60 | ||
| /calendar/eventTitle | Calendar Events | Event capturing Calendar entry. | 10 | 1 | |||
| /carplay/isConnected | CarPlay Connection State | Event capturing CarPlay connection state. | 4 | True | 4 | ||
| /display/orientation | Device Orientation | Event capturing device orientation. | 10 | True | 4 | ||
| /device/batteryPercentage | Battery Level | Event capturing battery level. | 4 | ||||
| /device/lowPowerMode | Low Power Mode | Event capturing Low Power Mode transitions. | 10 | True | 1 | ||
| /clock/alarm | Alarm States | Event capturing alarm states (firing, snoozed, etc). | 10 | 1 | |||
| /clock/timer | Timer States | Event capturing timer states (firing, snoozed, etc). | 10 | 1 | |||
| /display/isBacklit | Backlight Level | Event capturing Backlight level. | True | 4 | |||
| /discoverability/signals | Discoverability Signals | Event capturing discoverability feature signals on the system. | 1 | ||||
| /discoverability/usage | Discoverability Usage | Event capturing the state of discoverability tips on the system. | 1 | ||||
| /siri/service | Siri Service | Event capturing Siri service commands and domains. | 1 | ||||
| /siri/intentEvent | Siri Intent events | Event capturing Siri Intents usage | False | 1 | |||
| Thermal Pressure Level | Event capturing Thermal pressure level. | False | 10 | 4 | |||
| Call In Progress State | Event capturing whether or not a call (e.g. Phone, FaceTime, etc) is in progress. | False | |||||
| /bluetooth/isConnected | Bluetooth Connected State | Event capturing connection state change of Bluetooth devices. Includes the device name, address, type, product identifier, and whether it is an Apple audio device. | 30 | True | 1 | ||
| /app/activity | Application Activity | Events tracking Application Activity. Includes information from NSUserActivity. | 120 | 1 | |||
| /app/locationActivity | Application Location Activity | Events tracking Application Activity Location | 120 | ||||
| /app/relevantShortcuts | App Relevant Shortcuts | Events tracking relevant shortcuts donated by apps. | 120 | 5 | |||
| /xctests/unitTests1 | Unit Test Events 1 | Events used for unit testing | |||||
| /xctests/unitTests2 | Unit Test Events 2 | Events used for unit testing | |||||
| /user/isFirstBacklightOnAfterWakeup | First Backlight On After Wakeup | Events indicating if it is the first backlight-on event after wakeup in the morning (only one sleep period is counted per day) | 10 | 1 | |||
| /watch/nearby | Watch Nearby | Event capturing when gizmo is nearby (reachable) from companion. | 30 | 64 | |||
| /defaultPaired/nearby | Default Paired Device Nearby | Event capturing when the default paired device is nearby (reachable) from the current device. | 30 | True | 64 | ||
| Sunrise Sunset Time | Event capturing information about the next and previous sunrises and sunsets. | False | 30 | 10 | |||
| Device Activeness | Event capturing activeness of device | False | 30 | 1 | |||
| Wired Network Quality | Event capturing Wired network quality | False | 30 | 1 | |||
| WiFi Quality | Event capturing WiFi quality | False | 30 | 1 | |||
| /wifi/connection | Wifi Connection | Event capturing the SSID of a connected WiFi network | 30 | True | 1 | ||
| Cell Quality | Event capturing cell quality | False | 30 | 1 | |||
| /search/feedback | Search Feedback | Event capturing search feedback | 30 | 1 | |||
| /app/dockView | App Viewed in Dock | Event capturing the notion that an app was viewed in the dock | 30 | 64 | |||
| /widgets/viewed | Widgets Viewed | Event capturing the notion that a widget was viewed | 30 | 1 | |||
| /homekit/scene | HomeKit Scene Setting | Event capturing information about a HomeKit scene. Includes details like scene name and action type. | 30 | 1 | |||
| /homekit/accessoryControl | HomeKit Accessory Control | Event capturing information about a HomeKit accessory. Includes details like accessory characteristics and name. | 30 | 1 | |||
| /homekit/appView | HomeKit App View | Home Kit app view | 30 | 1 | |||
| Wake Request Monitor | Event capturing user visible wake requests | False | 30 | 1 | |||
| Assertions Preventing Restart Monitor | Event capturing whether there are assertions preventing reboot | False | 30 | 1 | |||
| Navigation In Progress | Event capturing Maps navigation state. | False | 5 | ||||
| Device Connected to Car | Event capturing device connected to car | False | 5 | ||||
| /activity/level | Device Activity Level | Event capturing activeness of device | True | 4 | |||
| /internal/queryDataCollection | Internal Query Data Collection Metrics | Events to carry the desired query-related metrics | 10 | 1 | |||
| User Nearby | Events to record when the user is nearby | False | 10 | ||||
| Workout In Progress | Events to record the user is working out | False | 10 | ||||
| /synctesting/portraittopic | Sync Test Portrait Topic | Event capturing topical impressions for testing purposes. | 1 | ||||
| /synctesting/portraitentity | Sync Test Portrait Entity | Event capturing entity impressions for testing purposes. | 1 | ||||
| /event/tombstone | Tombstone Event | Event representing the deletion of an event that has occured in a user-initiated way. | 1 | ||||
| /system/CPUUsage | CPU Usage Level | Event capturing CPU Usage level | False | 30 | 1 | ||
| /settings/doNotDisturb | Do Not Disturb | Event capturing Do Not Disturb status. Includes the reason for change and metadata. | True | 1 | |||
| /system/airplaneMode | Airplane Mode | Event capturing Airplane Mode status | True | 1 | |||
| /app/launchFeedback | App Launch Feedback | Event collection app launch feedbacks | 500 | 600 | |||
| /standby/timer | Standy Timer | Event capturing device standby timer changed event. | 1 | ||||
| /mapsShareEta/feedback | Maps Share Eta Feedback | Event capturing user engagement on Maps ShareETA Suggestion | 10 | 1 | |||
| /activity/level/feedback | Device Activity Level Feedback | Event collecting feedbacks of smart power models | 1 | ||||
| /location/coordinates | Location Coordinates | Event collecting longitude, latitude, and altitude | 30 | 1 | 10 | ||
| /photos/share/all | Assets that have been shared through the share and action sheet | 5 | |||||
| /photos/share/extension | Assets that have been shared to a share extension | 5 | |||||
| /photos/share/useAsWallpaper | Assets that have been selected to be used as wallpaper | 5 | |||||
| /photos/share/createWatchFace | Assets that have been selected to be used as watch face | 5 | |||||
| /photos/share/airplay | Assets that have been shared to AirPlay | 5 | |||||
| /photos/share/airdrop | Assets that have been shared to AirDrop | 5 | |||||
| /photos/share/saveToFiles | Assets that have been saved to files | 5 | |||||
| /photos/share/assignToContact | Assets that have been assigned to a contact | 5 | |||||
| /photos/share/addToAlbum | Assets that have been added to an album | 5 | |||||
| /photos/share/addToSharedAlbum | Assets that have been added to a shared album | 5 | |||||
| /photos/share/hide | Assets that have been hidden | 5 | |||||
| /photos/engagement/0To1Seconds | Assets that have been visualized from 0 to 1 seconds | 5 | |||||
| /photos/engagement/1To2Seconds | Assets that have been visualized from 1 to 2 seconds | 5 | |||||
| /photos/engagement/2To3Seconds | Assets that have been visualized from 2 to 3 seconds | 5 | |||||
| /photos/engagement/eyeCatchiness | Assets that have been visualized back a second time right after being swiped away | 5 | |||||
| /photos/engagement/zoom | Assets that have been zoomed | 5 | |||||
| /photos/engagement/other | Other asset interactions related to engagement | 5 | |||||
| /photos/favorites/recent | Assets that have been favorited after less than 2 minutes of being taken | 5 | |||||
| /photos/favorites/old | Assets that have been favorited after more than 6 months of being taken | 5 | |||||
| /photos/favorites/other | All other assets that have been favorited | 5 | |||||
| /photos/deletes/recent | Assets that have been deleted after less than 2 minutes of being taken | 5 | |||||
| /photos/deletes/old | Assets that have been deleted after more than 6 months of being taken | 5 | |||||
| /photos/deletes/all | All assets that have been deleted | 5 | |||||
| /photos/edit/filter | Assets that have been applied a filter in the edit tool | 5 | |||||
| /photos/edit/lighting | Assets that have been adjusted for lightning in the edit tool | 5 | |||||
| /photos/edit/crop | Assets that have been cropped in the edit tool | 5 | |||||
| /photos/edit/all | All assets that have been edited in any way | 5 | |||||
| /photos/livePhotos/loop | Live photos that have been applied loop | 5 | |||||
| /photos/livePhotos/bounce | Live photos that have been applied bounce | 5 | |||||
| /photos/livePhotos/longExposure | Live photos that have been applied long exposure | 5 | |||||
| /photos/livePhotos/other | Other live photo effect applied | 5 | |||||
| /photos/memories/viewed | Memories Viewed | Memories the user has viewed | 1 | ||||
| /photos/memories/engagement/low | Memories Engaged Low | Memories the users spent 0-5s viewing | 1 | ||||
| /photos/memories/engagement/medium | Memories Engaged Medium | Memories the users spent 5-10s viewing | 1 | ||||
| /photos/memories/engagement/high | Memories Engaged High | Memories the users spent 10-15s viewing | 1 | ||||
| /photos/memories/favorited | Memories Favorited | Memories the users have added to their favorites | 1 | ||||
| /photos/memories/unfavorited | Memories Unfavorited | Memories the users have removed from their favorites | 1 | ||||
| /photos/memories/blocked | Memories Blocked | Memories the users have blocked | 1 | ||||
| /photos/memories/deleted | Memories Deleted | Memories the users have deleted | 1 | ||||
| /photos/memories/moviePlayed | Memories Movie Played | Memories the users have played the Miro movie | 1 | ||||
| /photos/memories/notification/seen | Memories Notification Seen | Memories’ notifications the users have seen | 1 | ||||
| /photos/memories/notification/responded | Memories Notification Responded | Memories’ notifications the users have responded | 1 | ||||
| /photos/memories/createdViaAddToMemories | Memories Created Via Add To Memories | Memories the users have created through addToMemories | 1 | ||||
| /userInteraction/appDirectory | App Directory Interaction | Interactions the user has had with the app directory interface | 1 | ||||
| /app/clipUsage | App Clip Usage | Usage of app clips, with information abbout the launch, referrer and app. | 1 | ||||
| /sharesheet/behavioralRuleFeatures | Features extracted over behavioral rules to be used in ML modeling. | 1 | |||||
| /dasd/activityprofile | DAS Activity Profile | dasd activity logging | 10 | ||||
| /dasd/batterytemperature | DAS Battery Temperature | dasd battery temperature logging | |||||
| /family/prediction | Family Prediction | Predictions for icloud family member | 1 | ||||
| Screen Sharing | Event capturing screen sharing event | False | 1 | ||||
| Foreground Services | Foreground services impacting IDS policies | False | 1 | ||||
| Active Complications | Complications on watch or paired watch | False | 1 | ||||
| /device/timeZone | Time Zone Change | Event capturing the current time zone |