diff --git a/SQLMap/Maps/Windows_Dropbox_NonLocalResources.smap b/SQLMap/Maps/Windows_Dropbox_NonLocalResources.smap new file mode 100644 index 0000000..96b7eeb --- /dev/null +++ b/SQLMap/Maps/Windows_Dropbox_NonLocalResources.smap @@ -0,0 +1,46 @@ +Description: Dropbox Non-Local Resources +Author: Andrew Rathbun +Email: andrew.rathbun@kroll.com +Id: 255c6d03-a065-49dd-b1bd-4cf7c635554a +Version: 1.0 +CSVPrefix: Dropbox +FileName: home.db +IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='activity_feed' OR name='recents' OR name='starred_items' OR name='calendar_items' OR name='sfj_resources'); +IdentifyValue: 5 +Queries: + - + Name: Dropbox Non-Local Resources + Query: | + SELECT + datetime( nonlocal_resources.server_fetch_timestamp / 1000 + ( strftime( '%ms', '1601-01-01' ) ), 'unixepoch', 'localtime' ) AS timestamp, + nonlocal_resources.account_id AS AccountID, + nonlocal_resources.name AS Name, + nonlocal_resources.url AS URL, + nonlocal_resources.server_path AS ServerPath, + CASE + + WHEN nonlocal_resources.is_dir = 0 THEN + 'No' + WHEN nonlocal_resources.is_dir = 1 THEN + 'Yes' + END AS IsDirectory, + CASE + + WHEN nonlocal_resources.is_share = 0 THEN + 'No' + WHEN nonlocal_resources.is_share = 1 THEN + 'Yes' + END AS IsShare, + nonlocal_resources.resource_type AS ResourceType, + nonlocal_resources.resource_id AS ResourceID + FROM + nonlocal_resources + BaseFileName: NonLocalResources + +# Documentation +# https://www.forensicfocus.com/news/new-free-tool-decrypting-the-dropbox-filecache-dbx-file/ +# https://digital-forensics.sans.org/summit-archives/Prague_Summit/Cloud_Storage_Forensics_Mattia_Eppifani.pdf +# https://www.forensicfocus.com/articles/dropbox-forensics/ +# https://arxiv.org/pdf/1709.10395 +# https://www.researchgate.net/publication/342991973_Forensic_Analysis_of_Dropbox_Data_Remnants_on_Windows_10 +# Use SQLECmd in conjunction with the Dropbox KAPE Target: https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Apps/Dropbox.tkape diff --git a/SQLMap/Maps/Windows_Dropbox_RecentItems.smap b/SQLMap/Maps/Windows_Dropbox_RecentItems.smap new file mode 100644 index 0000000..722497b --- /dev/null +++ b/SQLMap/Maps/Windows_Dropbox_RecentItems.smap @@ -0,0 +1,43 @@ +Description: Dropbox Recent Items +Author: Andrew Rathbun +Email: andrew.rathbun@kroll.com +Id: 97a2f126-f939-4516-9c61-8b74a8cf482b +Version: 1.0 +CSVPrefix: Dropbox +FileName: home.db +IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='activity_feed' OR name='recents' OR name='starred_items' OR name='calendar_items' OR name='sfj_resources'); +IdentifyValue: 5 +Queries: + - + Name: Dropbox Recent Items + Query: | + SELECT + datetime( timestamp / 1000 + ( strftime( '%ms', '1601-01-01' ) ), 'unixepoch', 'localtime' ) AS Timestamp, + recents.account_id AS AccountID, + recents.server_path AS ServerPath, + datetime( server_fetch_timestamp / 1000 + ( strftime( '%ms', '1601-01-01' ) ), 'unixepoch', 'localtime' ) AS ServerFetchTimestamp, + recents.batch_key AS BatchKey, + recents.event_type AS EventType, + CASE + + WHEN recents.is_local = 0 THEN + 'No' + WHEN recents.is_local = 1 THEN + 'Yes' + END AS IsLocal, + recents.keywords AS Keywords, + recents.resource_id AS ResourceID, + recents.resource_type AS ResourceType + FROM + recents + ORDER BY + recents.timestamp ASC + BaseFileName: RecentItems + +# Documentation +# https://www.forensicfocus.com/news/new-free-tool-decrypting-the-dropbox-filecache-dbx-file/ +# https://digital-forensics.sans.org/summit-archives/Prague_Summit/Cloud_Storage_Forensics_Mattia_Eppifani.pdf +# https://www.forensicfocus.com/articles/dropbox-forensics/ +# https://arxiv.org/pdf/1709.10395 +# https://www.researchgate.net/publication/342991973_Forensic_Analysis_of_Dropbox_Data_Remnants_on_Windows_10 +# Use SQLECmd in conjunction with the Dropbox KAPE Target: https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Apps/Dropbox.tkape diff --git a/SQLMap/Maps/Windows_Dropbox_SFJResources.smap b/SQLMap/Maps/Windows_Dropbox_SFJResources.smap new file mode 100644 index 0000000..a84b1b2 --- /dev/null +++ b/SQLMap/Maps/Windows_Dropbox_SFJResources.smap @@ -0,0 +1,43 @@ +Description: Dropbox SFJ Resources +Author: Andrew Rathbun +Email: andrew.rathbun@kroll.com +Id: 34366884-7119-4c0f-b252-11457cc8490a +Version: 1.0 +CSVPrefix: Dropbox +FileName: home.db +IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='activity_feed' OR name='recents' OR name='starred_items' OR name='calendar_items' OR name='sfj_resources'); +IdentifyValue: 5 +Queries: + - + Name: Dropbox SFJ Resources + Query: | + SELECT + datetime( timestamp / 1000 + ( strftime( '%ms', '1601-01-01' ) ), 'unixepoch', 'localtime' ) AS timestamp, + starred_items.account_id AS AccountID, + starred_items.server_path AS ServerPath, + CASE + + WHEN starred_items.is_starred = 0 THEN + 'No' + WHEN starred_items.is_starred = 1 THEN + 'Yes' + END AS IsStarred, + starred_items.keywords AS Keywords, + starred_items.paper_path AS PaperPath, + starred_items.persist_state AS PersistState, + starred_items.resource_type AS ResourceType, + starred_items.resource_id AS ResourceID + FROM + starred_items + ORDER BY + starred_items.timestamp ASC + BaseFileName: SFJResources + +# Documentation +# I have no idea what SFJ Resources means and I couldn’t find any documentation on it. If anyone knows, please do a PR and add documentation. It looks like good data resides here, I just don’t know exactly what it’s representing at this time. +# https://www.forensicfocus.com/news/new-free-tool-decrypting-the-dropbox-filecache-dbx-file/ +# https://digital-forensics.sans.org/summit-archives/Prague_Summit/Cloud_Storage_Forensics_Mattia_Eppifani.pdf +# https://www.forensicfocus.com/articles/dropbox-forensics/ +# https://arxiv.org/pdf/1709.10395 +# https://www.researchgate.net/publication/342991973_Forensic_Analysis_of_Dropbox_Data_Remnants_on_Windows_10 +# Use SQLECmd in conjunction with the Dropbox KAPE Target: https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Apps/Dropbox.tkape diff --git a/SQLMap/Maps/Windows_Dropbox_StarredItems.smap b/SQLMap/Maps/Windows_Dropbox_StarredItems.smap new file mode 100644 index 0000000..a4913ab --- /dev/null +++ b/SQLMap/Maps/Windows_Dropbox_StarredItems.smap @@ -0,0 +1,42 @@ +Description: Dropbox Starred Items +Author: Andrew Rathbun +Email: andrew.rathbun@kroll.com +Id: 4092c211-3032-41b1-abc3-a2a6b82f0ac3 +Version: 1.0 +CSVPrefix: Dropbox +FileName: home.db +IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='activity_feed' OR name='recents' OR name='starred_items' OR name='calendar_items' OR name='sfj_resources'); +IdentifyValue: 5 +Queries: + - + Name: Dropbox Starred Items + Query: | + SELECT + datetime( timestamp / 1000 + ( strftime( '%ms', '1601-01-01' ) ), 'unixepoch', 'localtime' ) AS timestamp, + starred_items.account_id AS AccountID, + starred_items.server_path AS ServerPath, + CASE + + WHEN starred_items.is_starred = 0 THEN + 'No' + WHEN starred_items.is_starred = 1 THEN + 'Yes' + END AS IsStarred, + starred_items.keywords AS Keywords, + starred_items.paper_path AS PaperPath, + starred_items.persist_state AS PersistState, + starred_items.resource_type AS ResourceType, + starred_items.resource_id AS ResourceID + FROM + starred_items + ORDER BY + starred_items.timestamp ASC + BaseFileName: StarredItems + +# Documentation +# https://www.forensicfocus.com/news/new-free-tool-decrypting-the-dropbox-filecache-dbx-file/ +# https://digital-forensics.sans.org/summit-archives/Prague_Summit/Cloud_Storage_Forensics_Mattia_Eppifani.pdf +# https://www.forensicfocus.com/articles/dropbox-forensics/ +# https://arxiv.org/pdf/1709.10395 +# https://www.researchgate.net/publication/342991973_Forensic_Analysis_of_Dropbox_Data_Remnants_on_Windows_10 +# Use SQLECmd in conjunction with the Dropbox KAPE Target: https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Apps/Dropbox.tkape diff --git a/SQLMap/Maps/Windows_Dropbox_SyncHistory.smap b/SQLMap/Maps/Windows_Dropbox_SyncHistory.smap new file mode 100644 index 0000000..102af79 --- /dev/null +++ b/SQLMap/Maps/Windows_Dropbox_SyncHistory.smap @@ -0,0 +1,33 @@ +Description: Dropbox Sync History +Author: Andrew Rathbun +Email: andrew.rathbun@kroll.com +Id: 4ff4d115-8f35-4233-8edd-c1fb74280754 +Version: 1.0 +CSVPrefix: Dropbox +FileName: sync_history.db +IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='sync_history'); +IdentifyValue: 1 +Queries: + - + Name: Dropbox Sync History + Query: | + SELECT + datetime( "timestamp", 'unixepoch' ) AS Timestamp, + sync_history.event_type AS EventType, + sync_history.file_event_type AS FileEventType, + sync_history.direction AS Direction, + sync_history.local_path AS LocalPath, + sync_history.file_id AS FileID + FROM + sync_history + ORDER BY + sync_history.timestamp ASC + BaseFileName: SyncHistory + +# Documentation +# https://www.forensicfocus.com/news/new-free-tool-decrypting-the-dropbox-filecache-dbx-file/ +# https://digital-forensics.sans.org/summit-archives/Prague_Summit/Cloud_Storage_Forensics_Mattia_Eppifani.pdf +# https://www.forensicfocus.com/articles/dropbox-forensics/ +# https://arxiv.org/pdf/1709.10395 +# https://www.researchgate.net/publication/342991973_Forensic_Analysis_of_Dropbox_Data_Remnants_on_Windows_10 +# Use SQLECmd in conjunction with the Dropbox KAPE Target: https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Apps/Dropbox.tkape diff --git a/SQLMap/Maps/Windows_Notifications_DB.smap b/SQLMap/Maps/Windows_Notifications_DB.smap deleted file mode 100644 index 76408d2..0000000 --- a/SQLMap/Maps/Windows_Notifications_DB.smap +++ /dev/null @@ -1,29 +0,0 @@ -Description: Windows Notifications DB -Author: Andrew Rathbun -Email: andrew.rathbun@kroll.com -Id: cd952d69-7b3e-4d13-9810-8d987155bc58 -Version: 1.0 -CSVPrefix: Windows -FileName: wpndatabase.db -IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='Notification' OR name='HandlerAssets' OR name='WNSPushChannel' OR name='TransientTable' OR name='NotificationData'); -IdentifyValue: 5 -Queries: - - - Name: Windows Notifications - Query: | - Select - Notification.ArrivalTime AS "Notification Arrival Time", - Notification.Payload, - CASE - when Notification.Type = "Toast", - end AS "Payload", - from Notification - BaseFileName: NotificationsDB - -# Documentation -# http://www.swiftforensics.com/2016/06/prasing-windows-10-notification-database.html -# https://tzworks.net/prototypes/wpn/wpn.users.guide.pdf -# https://inc0x0.com/2018/10/windows-10-notification-database/ -# https://www.hecfblog.com/2018/08/daily-blog-440-windows-10-notifications.html -# https://kacos2000.github.io/WindowsTimeline/WindowsTimeline.pdf -# Use SQLECmd in conjunction with the WindowsNotificationDB KAPE Target: https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/WindowsNotificationsDB.tkape diff --git a/SQLMap/Maps/Windows_WPNDatabase_Notifications.smap b/SQLMap/Maps/Windows_WPNDatabase_Notifications.smap new file mode 100644 index 0000000..38351ec --- /dev/null +++ b/SQLMap/Maps/Windows_WPNDatabase_Notifications.smap @@ -0,0 +1,89 @@ +Description: Windows WPNDatabase - Notifications +Author: Andrew Rathbun +Email: andrew.rathbun@kroll.com +Id: cd952d69-7b3e-4d13-9810-8d987155bc58 +Version: 1.0 +CSVPrefix: Windows +FileName: wpndatabase.db +IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='Notification' OR name='HandlerAssets' OR name='WNSPushChannel' OR name='TransientTable' OR name='NotificationData'); +IdentifyValue: 5 +Queries: + - + Name: Windows Notifications + Query: | + SELECT + Notification.Id AS ID, + Notification."Order" AS "Order", + Notification.HandlerId AS HandlerId, + NotificationHandler.PrimaryId AS Application, + CASE + + WHEN NotificationHandler.ParentId THEN + NotificationHandler.ParentId ELSE '' + END AS Parent, + NotificationHandler.HandlerType AS HandlerType, + Notification.Type AS Type, + Notification.Payload AS Payload, + Notification.PayloadType AS PayloadType, + Notification.Tag AS Tag, + Notification."Group" AS "Group", + datetime( ( Notification.ArrivalTime - 116444736000000000 ) / 10000000, 'unixepoch' ) AS ArrivalTime, + CASE + + WHEN Notification.ExpiryTime = 0 THEN + 'Expired' ELSE datetime( ( Notification.ExpiryTime - 116444736000000000 ) / 10000000, 'unixepoch' ) + END AS ExpirationTime, + NotificationHandler.CreatedTime AS HandlerCreated, + NotificationHandler.ModifiedTime AS HandlerModified, + CASE + + WHEN NotificationHandler.WNSId NOTNULL THEN + NotificationHandler.WNSId ELSE '' + END AS WNSId, + CASE + + WHEN NotificationHandler.WNFEventName NOTNULL THEN + NotificationHandler.WNFEventName ELSE '' + END AS WNFEventName, + CASE + + WHEN WNSPushChannel.ChannelId NOTNULL THEN + WNSPushChannel.ChannelId ELSE '' + END AS ChannelID, + CASE + + WHEN WNSPushChannel.Uri NOTNULL THEN + WNSPushChannel.Uri ELSE '' + END AS URI, + CASE + + WHEN WNSPushChannel.CreatedTime NOTNULL THEN + datetime( ( WNSPushChannel.CreatedTime - 116444736000000000 ) / 10000000, 'unixepoch' ) ELSE '' + END AS WNSCreatedTime, + CASE + + WHEN WNSPushChannel.ExpiryTime NOTNULL THEN + datetime( ( WNSPushChannel.ExpiryTime - 116444736000000000 ) / 10000000, 'unixepoch' ) ELSE '' + END AS WNSExpirationTime, + CASE + + WHEN hex( Notification.ActivityId ) = '00000000000000000000000000000000' THEN + '' ELSE hex( Notification.ActivityId ) + END AS ActivityId + FROM + Notification + JOIN NotificationHandler ON NotificationHandler.RecordId = Notification.HandlerId + LEFT JOIN WNSPushChannel ON WNSPushChannel.HandlerId = NotificationHandler.RecordId + ORDER BY + Id DESC + BaseFileName: NotificationsDB-Notifications + +# Documentation +# Lots of credit to kacos2000 on GitHub for their work on this SQL Query +# http://www.swiftforensics.com/2016/06/prasing-windows-10-notification-database.html +# https://tzworks.net/prototypes/wpn/wpn.users.guide.pdf +# https://inc0x0.com/2018/10/windows-10-notification-database/ +# https://www.hecfblog.com/2018/08/daily-blog-440-windows-10-notifications.html +# https://kacos2000.github.io/WindowsTimeline/WindowsTimeline.pdf +# https://github.com/kacos2000/Win10 +# Use SQLECmd in conjunction with the WindowsNotificationDB KAPE Target: https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/WindowsNotificationsDB.tkape diff --git a/SQLMap/Maps/Windows_WPNDatabase_WNSPushChannel.smap b/SQLMap/Maps/Windows_WPNDatabase_WNSPushChannel.smap new file mode 100644 index 0000000..58ca6af --- /dev/null +++ b/SQLMap/Maps/Windows_WPNDatabase_WNSPushChannel.smap @@ -0,0 +1,36 @@ +Description: Windows WPNDatabase - WNSPushChannel +Author: Andrew Rathbun +Email: andrew.rathbun@kroll.com +Id: a91038dd-baa5-42a3-a92e-e1105171c6fa +Version: 1.0 +CSVPrefix: Windows +FileName: wpndatabase.db +IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='Notification' OR name='HandlerAssets' OR name='WNSPushChannel' OR name='TransientTable' OR name='NotificationData'); +IdentifyValue: 5 +Queries: + - + Name: Windows Notifications + Query: | + SELECT + NotificationHandler.PrimaryId AS PrimaryID, + WNSPushChannel.ChannelId AS ChannelID, + WNSPushChannel.HandlerId AS HandlerID, + WNSPushChannel.Uri AS URI, + datetime( ( WNSPushChannel.CreatedTime - 116444736000000000 ) / 10000000, 'unixepoch' ) AS CreatedTime, + datetime( ( WNSPushChannel.ExpiryTime - 116444736000000000 ) / 10000000, 'unixepoch' ) AS ExpirationTime + FROM + WNSPushChannel + JOIN NotificationHandler ON NotificationHandler.RecordId = WNSPushChannel.HandlerId + ORDER BY + CreatedTime ASC + BaseFileName: NotificationsDBN-WNSPushChannel + +# Documentation +# Lots of credit to kacos2000 on GitHub for their work on this SQL Query +# http://www.swiftforensics.com/2016/06/prasing-windows-10-notification-database.html +# https://tzworks.net/prototypes/wpn/wpn.users.guide.pdf +# https://inc0x0.com/2018/10/windows-10-notification-database/ +# https://www.hecfblog.com/2018/08/daily-blog-440-windows-10-notifications.html +# https://kacos2000.github.io/WindowsTimeline/WindowsTimeline.pdf +# https://github.com/kacos2000/Win10 +# Use SQLECmd in conjunction with the WindowsNotificationDB KAPE Target: https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/WindowsNotificationsDB.tkape