From e38956e50f2cd9123c8951d02c5efbe2e129d364 Mon Sep 17 00:00:00 2001
From: Mike Cohen <mike@velocidex.com>
Date: Tue, 4 Nov 2025 01:15:39 +1000
Subject: [PATCH] Added Apple_IntelligencePlatform_Wifi rule

---
 .../Apple_IntelligencePlatform_Wifi.yaml      | 33 +++++++++++++++++++
 docs/content/docs/rules/index.json            | 16 ++++++++-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 definitions/Apple_IntelligencePlatform_Wifi.yaml

diff --git a/definitions/Apple_IntelligencePlatform_Wifi.yaml b/definitions/Apple_IntelligencePlatform_Wifi.yaml
new file mode 100644
index 0000000..8775d71
--- /dev/null
+++ b/definitions/Apple_IntelligencePlatform_Wifi.yaml
@@ -0,0 +1,33 @@
+Name: IntelligencePlatform
+Author: Yogesh Khatri - @swiftForensics, CyberCX
+Description: |
+  Parses the views.db database, part of Apple Intelligence which
+  provides detailed connect/disconnect events on recent wifi
+  connections.
+
+Globs:
+  - "/Users/*/Library/IntelligencePlatform/Artifacts/internal/views.db"
+
+Categories:
+  - MacOS
+
+FilenameRegex: "views.db"
+
+SQLiteIdentifyQuery: |
+  SELECT count(*) AS `Check`
+  FROM sqlite_master
+  WHERE type='table' AND name='wifiContextEvents';
+SQLiteIdentifyValue: 1
+
+Sources:
+  - name: Wifi
+    SQL: |
+      SELECT behaviorType, behaviorIdentifier, timestamp
+      FROM wifiContextEvents ORDER BY timestamp
+    VQL: |
+      SELECT timestamp(cocoatime=timestamp) AS Timestamp,
+             behaviorType,
+             split(string=behaviorIdentifier, sep=':')[0] AS event,
+             split(string=behaviorIdentifier, sep=':')[1] AS network,
+             OSPath[1] AS User
+      FROM Rows
diff --git a/docs/content/docs/rules/index.json b/docs/content/docs/rules/index.json
index d5e0ae9..f8ae2b0 100644
--- a/docs/content/docs/rules/index.json
+++ b/docs/content/docs/rules/index.json
@@ -1,4 +1,18 @@
 [
+  {
+   "Name": "IntelligencePlatform",
+   "Author": "Yogesh Khatri - @swiftForensics, CyberCX",
+   "Description": "Parses the views.db database, part of Apple Intelligence which\nprovides detailed connect/disconnect events on recent wifi\nconnections.\n",
+   "Categories": [
+    "MacOS"
+   ],
+   "Sources": [
+    {
+     "Name": "Wifi"
+    }
+   ],
+   "RawData": "Name: IntelligencePlatform\nAuthor: Yogesh Khatri - @swiftForensics, CyberCX\nDescription: |\n  Parses the views.db database, part of Apple Intelligence which\n  provides detailed connect/disconnect events on recent wifi\n  connections.\n\nGlobs:\n  - \"/Users/*/Library/IntelligencePlatform/Artifacts/internal/views.db\"\n\nCategories:\n  - MacOS\n\nFilenameRegex: \"views.db\"\n\nSQLiteIdentifyQuery: |\n  SELECT count(*) AS `Check`\n  FROM sqlite_master\n  WHERE type='table' AND name='wifiContextEvents';\nSQLiteIdentifyValue: 1\n\nSources:\n  - name: Wifi\n    SQL: |\n      SELECT behaviorType, behaviorIdentifier, timestamp\n      FROM wifiContextEvents ORDER BY timestamp\n    VQL: |\n      SELECT timestamp(cocoatime=timestamp) AS Timestamp,\n             behaviorType,\n             split(string=behaviorIdentifier, sep=':')[0] AS event,\n             split(string=behaviorIdentifier, sep=':')[1] AS network,\n             OSPath[1] AS User\n      FROM Rows\n"
+  },
   {
    "Name": "iMessage",
    "Author": "x64-julian",
@@ -536,6 +550,6 @@
      "Name": "UserActivityLogging"
     }
    ],
-   "RawData": "Name: Windows Search Service\n\nDescription: |\n  Analysis of the Windows search index database. See\n  https://www.aon.com/cyber-solutions/aon_cyber_labs/windows-search-index-the-forensic-artifact-youve-been-searching-for/\n\nCategories:\n  - Windows\n\nFilenameRegex: \"Windows.edb\"\nGlobs:\n  - C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Windows.edb\n\nSources:\n- name: SystemIndex_Gthr\n  Preamble: |\n    LET MatchingFiles = SELECT OSPath FROM Rows\n\n    LET FormatTimeB(T) = timestamp(winfiletime=parse_binary(\n       filename=T, accessor=\"data\", struct=\"uint64b\"))\n\n    LET FormatTime(T) = timestamp(winfiletime=parse_binary(\n       filename=T, accessor=\"data\", struct=\"uint64\"))\n\n    LET FormatSize(T) = parse_binary(\n       filename=T, accessor=\"data\", struct=\"uint64\")\n\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT ScopeID, DocumentID, SDID,\n          FormatTimeB(T=LastModified) AS LastModified,\n          FileName\n       FROM parse_ese(file=OSPath, table= \"SystemIndex_Gthr\")\n    })\n    WHERE LastModified \u003e DateAfter AND LastModified \u003c DateBefore\n      AND FileName =~ FilterRegex\n\n- name: SystemIndex_GthrPth\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT Scope, Parent, Name\n       FROM parse_ese(file=OSPath, table= \"SystemIndex_GthrPth\")\n    })\n    WHERE Name =~ FilterRegex\n\n- name: SystemIndex_PropertyStore\n  Preamble: |\n    LET X = scope()\n\n    -- The PropertyStore columns look like\n    -- \u003crandom\u003e-ProperName so we strip the\n    -- random part off to display it properly.\n    LET FilterDict(Dict) = to_dict(item={\n      SELECT split(sep_string=\"-\", string=_key)[1] || _key AS _key, _value\n      FROM items(item=Dict)\n    })\n\n    LET PropStore(OSPath) = SELECT *,\n       FormatTime(T=X.System_Search_GatherTime) AS System_Search_GatherTime,\n       FormatSize(T=X.System_Size) AS System_Size,\n       FormatTime(T=X.System_DateModified) AS System_DateModified,\n       FormatTime(T=X.System_DateAccessed) AS System_DateAccessed,\n       FormatTime(T=X.System_DateCreated) AS System_DateCreated\n    FROM foreach(row={\n       SELECT *, FilterDict(Dict=_value) AS _value\n       FROM items(item={\n         SELECT * FROM parse_ese(file=OSPath, table=\"SystemIndex_PropertyStore\")\n      })\n    }, column=\"_value\")\n\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT *\n       FROM PropStore(OSPath=OSPath)\n    })\n    WHERE System_DateAccessed \u003e DateAfter AND System_DateAccessed \u003c DateBefore\n\n- name: SystemIndex_PropertyStore_Highlights\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT WorkID,\n          System_Search_GatherTime,\n          System_Size,\n          System_DateModified,\n          System_DateCreated,\n          X.System_FileOwner AS System_FileOwner,\n          X.System_ItemPathDisplay AS System_ItemPathDisplay,\n          X.System_ItemType AS System_ItemType,\n          X.System_FileAttributes AS System_FileAttributes,\n          X.System_Search_AutoSummary AS System_Search_AutoSummary\n       FROM PropStore(OSPath=OSPath)\n    })\n    WHERE System_DateAccessed \u003e DateAfter AND System_DateAccessed \u003c DateBefore\n\n- name: BrowsingActivity\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT X.ItemPathDisplay AS ItemPathDisplay,\n          X.Activity_ContentUri AS Activity_ContentUri,\n          X.Activity_Description AS Activity_Description\n       FROM PropStore(OSPath=OSPath)\n       WHERE Activity_ContentUri\n    })\n\n- name: UserActivityLogging\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT X.System_ItemPathDisplay AS System_ItemPathDisplay,\n           FormatTime(T=X.ActivityHistory_StartTime) AS ActivityHistory_StartTime,\n           FormatTime(T=X.ActivityHistory_EndTime) AS ActivityHistory_EndTime,\n           X.ActivityHistory_AppId AS ActivityHistory_AppId\n       FROM PropStore(OSPath=OSPath)\n       WHERE ActivityHistory_AppId\n    })\n    WHERE ActivityHistory_StartTime \u003e DateAfter\n      AND ActivityHistory_StartTime \u003c DateBefore\n"
+   "RawData": "Name: Windows Search Service\n\nDescription: |\n  Analysis of the Windows search index database. See\n  https://www.aon.com/cyber-solutions/aon_cyber_labs/windows-search-index-the-forensic-artifact-youve-been-searching-for/\n\nCategories:\n  - Windows\n\nFilenameRegex: \"Windows..db\"\nGlobs:\n  - \"C:\\\\ProgramData\\\\Microsoft\\\\Search\\\\Data\\\\Applications\\\\Windows\\\\Windows.*db\"\n\nSources:\n- name: SystemIndex_Gthr\n  Preamble: |\n    LET MatchingFiles = SELECT OSPath FROM Rows\n\n    LET FormatTimeB(T) = timestamp(winfiletime=parse_binary(\n       filename=T, accessor=\"data\", struct=\"uint64b\"))\n\n    LET FormatTime(T) = timestamp(winfiletime=parse_binary(\n       filename=T, accessor=\"data\", struct=\"uint64\"))\n\n    LET FormatSize(T) = parse_binary(\n       filename=T, accessor=\"data\", struct=\"uint64\")\n\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT ScopeID, DocumentID, SDID,\n          FormatTimeB(T=LastModified) AS LastModified,\n          FileName\n       FROM parse_ese(file=OSPath, table= \"SystemIndex_Gthr\")\n    })\n    WHERE LastModified \u003e DateAfter AND LastModified \u003c DateBefore\n      AND FileName =~ FilterRegex\n\n- name: SystemIndex_GthrPth\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT Scope, Parent, Name\n       FROM parse_ese(file=OSPath, table= \"SystemIndex_GthrPth\")\n    })\n    WHERE Name =~ FilterRegex\n\n- name: SystemIndex_PropertyStore\n  Preamble: |\n    LET X = scope()\n\n    -- The PropertyStore columns look like\n    -- \u003crandom\u003e-ProperName so we strip the\n    -- random part off to display it properly.\n    LET FilterDict(Dict) = to_dict(item={\n      SELECT split(sep_string=\"-\", string=_key)[1] || _key AS _key, _value\n      FROM items(item=Dict)\n    })\n\n    LET PropStore(OSPath) = SELECT *,\n       FormatTime(T=X.System_Search_GatherTime) AS System_Search_GatherTime,\n       FormatSize(T=X.System_Size) AS System_Size,\n       FormatTime(T=X.System_DateModified) AS System_DateModified,\n       FormatTime(T=X.System_DateAccessed) AS System_DateAccessed,\n       FormatTime(T=X.System_DateCreated) AS System_DateCreated\n    FROM foreach(row={\n       SELECT *, FilterDict(Dict=_value) AS _value\n       FROM items(item={\n         SELECT * FROM parse_ese(file=OSPath, table=\"SystemIndex_PropertyStore\")\n      })\n    }, column=\"_value\")\n\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT *\n       FROM PropStore(OSPath=OSPath)\n    })\n    WHERE System_DateAccessed \u003e DateAfter AND System_DateAccessed \u003c DateBefore\n\n- name: SystemIndex_PropertyStore_Highlights\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT WorkID,\n          System_Search_GatherTime,\n          System_Size,\n          System_DateModified,\n          System_DateCreated,\n          X.System_FileOwner AS System_FileOwner,\n          X.System_ItemPathDisplay AS System_ItemPathDisplay,\n          X.System_ItemType AS System_ItemType,\n          X.System_FileAttributes AS System_FileAttributes,\n          X.System_Search_AutoSummary AS System_Search_AutoSummary\n       FROM PropStore(OSPath=OSPath)\n    })\n    WHERE System_DateAccessed \u003e DateAfter AND System_DateAccessed \u003c DateBefore\n\n- name: BrowsingActivity\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT X.ItemPathDisplay AS ItemPathDisplay,\n          X.Activity_ContentUri AS Activity_ContentUri,\n          X.Activity_Description AS Activity_Description\n       FROM PropStore(OSPath=OSPath)\n       WHERE Activity_ContentUri\n    })\n\n- name: UserActivityLogging\n  VQL: |\n    SELECT * FROM foreach(row=MatchingFiles, query={\n       SELECT X.System_ItemPathDisplay AS System_ItemPathDisplay,\n           FormatTime(T=X.ActivityHistory_StartTime) AS ActivityHistory_StartTime,\n           FormatTime(T=X.ActivityHistory_EndTime) AS ActivityHistory_EndTime,\n           X.ActivityHistory_AppId AS ActivityHistory_AppId\n       FROM PropStore(OSPath=OSPath)\n       WHERE ActivityHistory_AppId\n    })\n    WHERE ActivityHistory_StartTime \u003e DateAfter\n      AND ActivityHistory_StartTime \u003c DateBefore\n"
   }
  ]
\ No newline at end of file