Add new Maps, update old Maps

SQLMap/Maps/Windows_Dropbox_NonLocalResources.smap

@@ -0,0 +1,46 @@
+Description: Dropbox Non-Local Resources
+Author: Andrew Rathbun
+Email: andrew.rathbun@kroll.com
+Id: 255c6d03-a065-49dd-b1bd-4cf7c635554a
+Version: 1.0
+CSVPrefix: Dropbox
+FileName: home.db
+IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='activity_feed' OR name='recents' OR name='starred_items' OR name='calendar_items' OR name='sfj_resources');
+IdentifyValue: 5
+Queries:
+    -
+        Name: Dropbox Non-Local Resources
+        Query: |
+               SELECT
+               datetime( nonlocal_resources.server_fetch_timestamp / 1000 + ( strftime( '%ms', '1601-01-01' ) ), 'unixepoch', 'localtime' ) AS timestamp,
+               nonlocal_resources.account_id AS AccountID,
+               nonlocal_resources.name AS Name,
+               nonlocal_resources.url AS URL,
+               nonlocal_resources.server_path AS ServerPath,
+               CASE
+
+               WHEN nonlocal_resources.is_dir = 0 THEN
+               'No'
+               WHEN nonlocal_resources.is_dir = 1 THEN
+               'Yes'
+               END AS IsDirectory,
+               CASE
+
+               WHEN nonlocal_resources.is_share = 0 THEN
+               'No'
+               WHEN nonlocal_resources.is_share = 1 THEN
+               'Yes'
+               END AS IsShare,
+               nonlocal_resources.resource_type AS ResourceType,
+               nonlocal_resources.resource_id AS ResourceID
+               FROM
+               nonlocal_resources
+        BaseFileName: NonLocalResources
+
+# Documentation
+# https://www.forensicfocus.com/news/new-free-tool-decrypting-the-dropbox-filecache-dbx-file/
+# https://digital-forensics.sans.org/summit-archives/Prague_Summit/Cloud_Storage_Forensics_Mattia_Eppifani.pdf
+# https://www.forensicfocus.com/articles/dropbox-forensics/
+# https://arxiv.org/pdf/1709.10395
+# https://www.researchgate.net/publication/342991973_Forensic_Analysis_of_Dropbox_Data_Remnants_on_Windows_10
+# Use SQLECmd in conjunction with the Dropbox KAPE Target: https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Apps/Dropbox.tkape

SQLMap/Maps/Windows_Dropbox_RecentItems.smap

@@ -0,0 +1,43 @@
+Description: Dropbox Recent Items
+Author: Andrew Rathbun
+Email: andrew.rathbun@kroll.com
+Id: 97a2f126-f939-4516-9c61-8b74a8cf482b
+Version: 1.0
+CSVPrefix: Dropbox
+FileName: home.db
+IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='activity_feed' OR name='recents' OR name='starred_items' OR name='calendar_items' OR name='sfj_resources');
+IdentifyValue: 5
+Queries:
+    -
+        Name: Dropbox Recent Items
+        Query: |
+               SELECT
+               datetime( timestamp / 1000 + ( strftime( '%ms', '1601-01-01' ) ), 'unixepoch', 'localtime' ) AS Timestamp,
+               recents.account_id AS AccountID,
+               recents.server_path AS ServerPath,
+               datetime( server_fetch_timestamp / 1000 + ( strftime( '%ms', '1601-01-01' ) ), 'unixepoch', 'localtime' ) AS ServerFetchTimestamp,
+               recents.batch_key AS BatchKey,
+               recents.event_type AS EventType,
+               CASE
+
+               WHEN recents.is_local = 0 THEN
+               'No'
+               WHEN recents.is_local = 1 THEN
+               'Yes'
+               END AS IsLocal,
+               recents.keywords AS Keywords,
+               recents.resource_id AS ResourceID,
+               recents.resource_type AS ResourceType
+               FROM
+               recents
+               ORDER BY
+               recents.timestamp ASC
+        BaseFileName: RecentItems
+
+# Documentation
+# https://www.forensicfocus.com/news/new-free-tool-decrypting-the-dropbox-filecache-dbx-file/
+# https://digital-forensics.sans.org/summit-archives/Prague_Summit/Cloud_Storage_Forensics_Mattia_Eppifani.pdf
+# https://www.forensicfocus.com/articles/dropbox-forensics/
+# https://arxiv.org/pdf/1709.10395
+# https://www.researchgate.net/publication/342991973_Forensic_Analysis_of_Dropbox_Data_Remnants_on_Windows_10
+# Use SQLECmd in conjunction with the Dropbox KAPE Target: https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Apps/Dropbox.tkape

SQLMap/Maps/Windows_Dropbox_SFJResources.smap

@@ -0,0 +1,43 @@
+Description: Dropbox SFJ Resources
+Author: Andrew Rathbun
+Email: andrew.rathbun@kroll.com
+Id: 34366884-7119-4c0f-b252-11457cc8490a
+Version: 1.0
+CSVPrefix: Dropbox
+FileName: home.db
+IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='activity_feed' OR name='recents' OR name='starred_items' OR name='calendar_items' OR name='sfj_resources');
+IdentifyValue: 5
+Queries:
+    -
+        Name: Dropbox SFJ Resources
+        Query: |
+               SELECT
+               datetime( timestamp / 1000 + ( strftime( '%ms', '1601-01-01' ) ), 'unixepoch', 'localtime' ) AS timestamp,
+               starred_items.account_id AS AccountID,
+               starred_items.server_path AS ServerPath,
+               CASE
+
+               WHEN starred_items.is_starred = 0 THEN
+               'No'
+               WHEN starred_items.is_starred = 1 THEN
+               'Yes'
+               END AS IsStarred,
+               starred_items.keywords AS Keywords,
+               starred_items.paper_path AS PaperPath,
+               starred_items.persist_state AS PersistState,
+               starred_items.resource_type AS ResourceType,
+               starred_items.resource_id AS ResourceID
+               FROM
+               starred_items
+               ORDER BY
+               starred_items.timestamp ASC
+        BaseFileName: SFJResources
+
+# Documentation
+# I have no idea what SFJ Resources means and I couldn�t find any documentation on it. If anyone knows, please do a PR and add documentation. It looks like good data resides here, I just don�t know exactly what it�s representing at this time.
+# https://www.forensicfocus.com/news/new-free-tool-decrypting-the-dropbox-filecache-dbx-file/
+# https://digital-forensics.sans.org/summit-archives/Prague_Summit/Cloud_Storage_Forensics_Mattia_Eppifani.pdf
+# https://www.forensicfocus.com/articles/dropbox-forensics/
+# https://arxiv.org/pdf/1709.10395
+# https://www.researchgate.net/publication/342991973_Forensic_Analysis_of_Dropbox_Data_Remnants_on_Windows_10
+# Use SQLECmd in conjunction with the Dropbox KAPE Target: https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Apps/Dropbox.tkape

SQLMap/Maps/Windows_Dropbox_StarredItems.smap

@@ -0,0 +1,42 @@
+Description: Dropbox Starred Items
+Author: Andrew Rathbun
+Email: andrew.rathbun@kroll.com
+Id: 4092c211-3032-41b1-abc3-a2a6b82f0ac3
+Version: 1.0
+CSVPrefix: Dropbox
+FileName: home.db
+IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='activity_feed' OR name='recents' OR name='starred_items' OR name='calendar_items' OR name='sfj_resources');
+IdentifyValue: 5
+Queries:
+    -
+        Name: Dropbox Starred Items
+        Query: |
+               SELECT
+               datetime( timestamp / 1000 + ( strftime( '%ms', '1601-01-01' ) ), 'unixepoch', 'localtime' ) AS timestamp,
+               starred_items.account_id AS AccountID,
+               starred_items.server_path AS ServerPath,
+               CASE
+
+               WHEN starred_items.is_starred = 0 THEN
+               'No'
+               WHEN starred_items.is_starred = 1 THEN
+               'Yes'
+               END AS IsStarred,
+               starred_items.keywords AS Keywords,
+               starred_items.paper_path AS PaperPath,
+               starred_items.persist_state AS PersistState,
+               starred_items.resource_type AS ResourceType,
+               starred_items.resource_id AS ResourceID
+               FROM
+               starred_items
+               ORDER BY
+               starred_items.timestamp ASC
+        BaseFileName: StarredItems
+
+# Documentation
+# https://www.forensicfocus.com/news/new-free-tool-decrypting-the-dropbox-filecache-dbx-file/
+# https://digital-forensics.sans.org/summit-archives/Prague_Summit/Cloud_Storage_Forensics_Mattia_Eppifani.pdf
+# https://www.forensicfocus.com/articles/dropbox-forensics/
+# https://arxiv.org/pdf/1709.10395
+# https://www.researchgate.net/publication/342991973_Forensic_Analysis_of_Dropbox_Data_Remnants_on_Windows_10
+# Use SQLECmd in conjunction with the Dropbox KAPE Target: https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Apps/Dropbox.tkape

SQLMap/Maps/Windows_Dropbox_SyncHistory.smap

@@ -0,0 +1,33 @@
+Description: Dropbox Sync History
+Author: Andrew Rathbun
+Email: andrew.rathbun@kroll.com
+Id: 4ff4d115-8f35-4233-8edd-c1fb74280754
+Version: 1.0
+CSVPrefix: Dropbox
+FileName: sync_history.db
+IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='sync_history');
+IdentifyValue: 1
+Queries:
+    -
+        Name: Dropbox Sync History
+        Query: |
+               SELECT
+               datetime( "timestamp", 'unixepoch' ) AS Timestamp,
+               sync_history.event_type AS EventType,
+               sync_history.file_event_type AS FileEventType,
+               sync_history.direction AS Direction,
+               sync_history.local_path AS LocalPath,
+               sync_history.file_id AS FileID
+               FROM
+               sync_history
+               ORDER BY
+               sync_history.timestamp ASC
+        BaseFileName: SyncHistory
+
+# Documentation
+# https://www.forensicfocus.com/news/new-free-tool-decrypting-the-dropbox-filecache-dbx-file/
+# https://digital-forensics.sans.org/summit-archives/Prague_Summit/Cloud_Storage_Forensics_Mattia_Eppifani.pdf
+# https://www.forensicfocus.com/articles/dropbox-forensics/
+# https://arxiv.org/pdf/1709.10395
+# https://www.researchgate.net/publication/342991973_Forensic_Analysis_of_Dropbox_Data_Remnants_on_Windows_10
+# Use SQLECmd in conjunction with the Dropbox KAPE Target: https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Apps/Dropbox.tkape

SQLMap/Maps/Windows_WPNDatabase_Notifications.smap

@@ -0,0 +1,89 @@
+Description: Windows WPNDatabase - Notifications
+Author: Andrew Rathbun
+Email: andrew.rathbun@kroll.com
+Id: cd952d69-7b3e-4d13-9810-8d987155bc58
+Version: 1.0
+CSVPrefix: Windows
+FileName: wpndatabase.db
+IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='Notification' OR name='HandlerAssets' OR name='WNSPushChannel' OR name='TransientTable' OR name='NotificationData');
+IdentifyValue: 5
+Queries:
+    -
+        Name: Windows Notifications
+        Query: |
+                SELECT
+                Notification.Id AS ID,
+                Notification."Order" AS "Order",
+                Notification.HandlerId AS HandlerId,
+                NotificationHandler.PrimaryId AS Application,
+                CASE
+
+                WHEN NotificationHandler.ParentId THEN
+                NotificationHandler.ParentId ELSE ''
+                END AS Parent,
+                NotificationHandler.HandlerType AS HandlerType,
+                Notification.Type AS Type,
+                Notification.Payload AS Payload,
+                Notification.PayloadType AS PayloadType,
+                Notification.Tag AS Tag,
+                Notification."Group" AS "Group",
+                datetime( ( Notification.ArrivalTime - 116444736000000000 ) / 10000000, 'unixepoch' ) AS ArrivalTime,
+                CASE
+
+                WHEN Notification.ExpiryTime = 0 THEN
+                'Expired' ELSE datetime( ( Notification.ExpiryTime - 116444736000000000 ) / 10000000, 'unixepoch' )
+                END AS ExpirationTime,
+                NotificationHandler.CreatedTime AS HandlerCreated,
+                NotificationHandler.ModifiedTime AS HandlerModified,
+                CASE
+
+                WHEN NotificationHandler.WNSId NOTNULL THEN
+                NotificationHandler.WNSId ELSE ''
+                END AS WNSId,
+                CASE
+
+                WHEN NotificationHandler.WNFEventName NOTNULL THEN
+                NotificationHandler.WNFEventName ELSE ''
+                END AS WNFEventName,
+                CASE
+
+                WHEN WNSPushChannel.ChannelId NOTNULL THEN
+                WNSPushChannel.ChannelId ELSE ''
+                END AS ChannelID,
+                CASE
+
+                WHEN WNSPushChannel.Uri NOTNULL THEN
+                WNSPushChannel.Uri ELSE ''
+                END AS URI,
+                CASE
+
+                WHEN WNSPushChannel.CreatedTime NOTNULL THEN
+                datetime( ( WNSPushChannel.CreatedTime - 116444736000000000 ) / 10000000, 'unixepoch' ) ELSE ''
+                END AS WNSCreatedTime,
+                CASE
+
+                WHEN WNSPushChannel.ExpiryTime NOTNULL THEN
+                datetime( ( WNSPushChannel.ExpiryTime - 116444736000000000 ) / 10000000, 'unixepoch' ) ELSE ''
+                END AS WNSExpirationTime,
+                CASE
+
+                WHEN hex( Notification.ActivityId ) = '00000000000000000000000000000000' THEN
+                '' ELSE hex( Notification.ActivityId )
+                END AS ActivityId
+                FROM
+                Notification
+                JOIN NotificationHandler ON NotificationHandler.RecordId = Notification.HandlerId
+                LEFT JOIN WNSPushChannel ON WNSPushChannel.HandlerId = NotificationHandler.RecordId
+                ORDER BY
+                Id DESC
+        BaseFileName: NotificationsDB-Notifications
+
+# Documentation
+# Lots of credit to kacos2000 on GitHub for their work on this SQL Query
+# http://www.swiftforensics.com/2016/06/prasing-windows-10-notification-database.html
+# https://tzworks.net/prototypes/wpn/wpn.users.guide.pdf
+# https://inc0x0.com/2018/10/windows-10-notification-database/
+# https://www.hecfblog.com/2018/08/daily-blog-440-windows-10-notifications.html
+# https://kacos2000.github.io/WindowsTimeline/WindowsTimeline.pdf
+# https://github.com/kacos2000/Win10
+# Use SQLECmd in conjunction with the WindowsNotificationDB KAPE Target: https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/WindowsNotificationsDB.tkape

SQLMap/Maps/Windows_WPNDatabase_WNSPushChannel.smap

@@ -0,0 +1,36 @@
+Description: Windows WPNDatabase - WNSPushChannel
+Author: Andrew Rathbun
+Email: andrew.rathbun@kroll.com
+Id: a91038dd-baa5-42a3-a92e-e1105171c6fa
+Version: 1.0
+CSVPrefix: Windows
+FileName: wpndatabase.db
+IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='Notification' OR name='HandlerAssets' OR name='WNSPushChannel' OR name='TransientTable' OR name='NotificationData');
+IdentifyValue: 5
+Queries:
+    -
+        Name: Windows Notifications
+        Query: |
+                SELECT
+                NotificationHandler.PrimaryId AS PrimaryID,
+                WNSPushChannel.ChannelId AS ChannelID,
+                WNSPushChannel.HandlerId AS HandlerID,
+                WNSPushChannel.Uri AS URI,
+                datetime( ( WNSPushChannel.CreatedTime - 116444736000000000 ) / 10000000, 'unixepoch' ) AS CreatedTime,
+                datetime( ( WNSPushChannel.ExpiryTime - 116444736000000000 ) / 10000000, 'unixepoch' ) AS ExpirationTime
+                FROM
+                WNSPushChannel
+                JOIN NotificationHandler ON NotificationHandler.RecordId = WNSPushChannel.HandlerId
+                ORDER BY
+                CreatedTime ASC
+        BaseFileName: NotificationsDBN-WNSPushChannel
+
+# Documentation
+# Lots of credit to kacos2000 on GitHub for their work on this SQL Query
+# http://www.swiftforensics.com/2016/06/prasing-windows-10-notification-database.html
+# https://tzworks.net/prototypes/wpn/wpn.users.guide.pdf
+# https://inc0x0.com/2018/10/windows-10-notification-database/
+# https://www.hecfblog.com/2018/08/daily-blog-440-windows-10-notifications.html
+# https://kacos2000.github.io/WindowsTimeline/WindowsTimeline.pdf
+# https://github.com/kacos2000/Win10
+# Use SQLECmd in conjunction with the WindowsNotificationDB KAPE Target: https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/WindowsNotificationsDB.tkape