Create SQLECmd Map Guide and Template

SQLMap/Maps/!OS_Application_OptionalDescription.guide

@@ -0,0 +1,29 @@
+Description: Description goes here # Include a useful description of what artifact(s) is being parsed with this SQLECmd Map
+Author: Your name here # Required
+Email: youremail@here.com # Required
+Id: dfe5d585-a24b-499e-ad1d-12df107e3e0b # Required, generate a unique GUID for each .smap file
+Version: 1.0 # Required, iterate as necessary
+CSVPrefix: AppName # Required, please note this influences the filename of the CSV output
+FileName: FileName.sqlite # This is the file mask, aka filename, that SQLECmd will be looking for to match up a database with this Map in order to parse it and output data into CSV. If the DB has a randomized filename such as a timestamp for a filename and therefore cannot be predicted, ensure the IdentifyQuery section is as specific as possible since SQLECmd's --hunt switch will use that to match up an SQLite database with a matching SQLECmd Map. Check Windows_TeraCopy_History.smap for an example of this concept
+IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='table1' OR name='table2' OR name='table3' OR name='table4' OR name='table5'); # This is basically telling SQLECmd to look for an SQLite database with these 5 table names in conjunction with the IdentifyValue value below
+IdentifyValue: 5 # Combined with the specified SQLite database schema provided in IdentifyQuery, SQLECmd will look for 5 positive hits on table names within a given database to match it up for parsing with SQLECmd. You can specify more table names within IdentifyQuery than what you tell SQLECmd to look for within IdentifyValue
+Queries:
+    -
+        Name: AppName Artifact Description 1 # 8 spaces before Name. This value does not influence the filename of the CSV output
+        Query: |
+                SELECT
+                SQL Query goes here with 16 spaces before the text
+        BaseFileName: ArtifactDescription1
+    -
+        Name: AppName Artifact Description 2 # You can add as many queries as you want for the database schema provided in IdentifyQuery for the FileName specified
+        Query: |
+                SELECT
+                SQL Query goes here with 16 spaces before the text
+        BaseFileName: ArtifactDescription2
+
+# Documentation
+# URLs here relating to this artifact
+# Your CSV output filename will be populated based on the values you provide for the following: YYYYMMDDHHMMSSFFFFFF_CSVPrefix_BaseFileName_Id.csv. Timestamp prefix is automatically generated by SQLECmd
+# Multiple SQL queries can exist within the same .smap file, if needed. Just follow the format shown above and add on or remove as necessary
+# There are many tools out there to help build SQL queries: Navicat for SQLite, SQLite Expert Professional, and Sanderson Forensic Toolkit, to name a few
+# Free tools like DB Browser for SQLite will require a stronger working knowledge of SQL query building as its done manually without the help of a Query Builder often found in paid tools

SQLMap/Maps/!OS_Application_OptionalDescription.template

@@ -0,0 +1,25 @@
+Description: Description goes here
+Author: Your name here
+Email: youremail@here.com
+Id: dfe5d585-a24b-499e-ad1d-12df107e3e0b
+Version: 1.0
+CSVPrefix: AppName
+FileName: FileName
+IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='table1' OR name='table2' OR name='table3' OR name='table4' OR name='table5');
+IdentifyValue: 5
+Queries:
+    -
+        Name: AppName Artifact Description 1
+        Query: |
+                SELECT
+                SQL Query goes here with 16 spaces before the text
+        BaseFileName: ArtifactDescription1
+    -
+        Name: AppName Artifact Description 2
+        Query: |
+                SELECT
+                SQL Query goes here with 16 spaces before the text
+        BaseFileName: ArtifactDescription2
+
+# Documentation
+# URLs here relating to this artifact