Apple Intelligence, while officially released only in 2024 (a few months ago) for macOS 15.1 (Sequoia) has been around for over a year in beta on most macOS and iOS systems. Its only available for Apple's M1 processor and later, and for macOS 15.1 (and higher). However on all macs at least macOS 14, you should have the folder corresponding to it here:
/Users/<USER>/Library/IntelligencePlatform
So even though my system is not supported, it still has the above folder. I didn't find anything too interesting in any of these databases from a forensics perspective (except for the wifi data!). But perhaps that may also be because I am not running a supported device (I'm not on Apple Silicon yet).
The Wifi data resides in the database located here under table wifiContextEvents:
/Users/<USER>/Desktop/IntelligencePlatform/Artifacts/internal/views.db
The data is quite self explanatory, every time a Wifi network is connected to, or disconnected from, an event is created here. So far I've seen this mostly include events for the current month but sometimes these go back a few months too. It is periodically emptied.
The timestamp is just a Cocoa (NSDate) type, can easily be converted back to human readable form.
Artifact Parsers
- mac_apt - A WIFI_INTELLIGENCE plugin has been created.
- Velociraptor - Artifact created and submitted to Artifact exchange.
No comments:
Post a Comment