You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

99 lines
8.9 KiB

## SQLite queries ##
- **Browsers**
- Mozilla Firefox *61+*:
- [firefox_places.sql](
- [firefox_favicons.sql](
- [firefox_formhistory.sql](
- [firefox_contentprefs.sql](
- Opera *54+*
- [Opera_History.sql](
- [Chrome_favicons.sql]( *(works with Opera as well)*
- Chrome *67+*
- [Opera_History.sql]( *(works with Chrome as well)*
- [Chrome_favicons.sql](
- **Skype** *(version 7.21 & 7.41 dBs)*
- [skype_main.sql](<br>
Query Skype's *(Classic)* main.db for chats & file transfers.<br>
- [skype_cache_db](<br>
Query Skype's *(Classic)* both cache_db.db databases found at AppData\Roaming\UserProfile\media_messaging\ <br>
- 'emo_cache_v2\asyncdb\cache_db' *(cached Emoticons etc)* & <br>
- 'media_cache_v3\asyncdb\cache_db' *(Cached Sent & Received images)* folders.<br>
- [PowerShell script/sqlite query]( so that you can view the Hex Blob output<br>
- [Sample Output (csv)](<br><br>
- **Google Drive** <br>
- Query Google Drive's [snapshot.db]( found at the '\AppData\Local\Google\Drive\user@' folder .<br>
- Query Google Drive's [cloud_graph.db]( found at the '\AppData\Local\Google\Drive\user@\cloud_graph' folder <br><br>
- **Android** <br>
- [Android 7 Calllog.db (Call history)](<br>
- [Android 7 Contacts2.db (Contacts)](<br>
- [Android 9 Contacts2.db (Call history)](<br>
- [Android logs.db (Samsung Calls/messages)](<br><br>
- **IOS** <br>
- [IOS 'Accounts3.sqlite' (Accounts)](<br>
- [IOS 'calendar.sqlitedb' (Calendar)](<br>
- [IOS 'Extras.db' (Calendar)](<br>
- [IOS 'AddressBook.sqlitedb' (AddressBook)](<br>
- [IOS 'AddressBookImages.sqlitedb' (AddressBook Images)](<br>
- [IOS 11 'Photos.sqlite'](<br>
- [IOS 7+ 'Photos.sqlite'](<br>
- [IOS 3 'Photos.sqlite'](<br>
- [IOS 'iPhotoLite.db'](<br>
- [IOS 'healthdb.sqlite'](<br>
- [IOS 'healthdb_secure.sqlite'](<br>
- [IOS 'knowledgec.db'](<br>
- [IOS 'notes.sqlite'](<br>
- [IOS 'Recents' db (Mail)](<br>
- [IOS 'sms.db' (SMS/iMessages)](<br>
- [IOS 'callhistory.storedata' (Call history)](<br>
- [Hike Sticker Chat (com.bsb.hike)](<br>
- ['' (Viber Messages)](<br>
- ['ChatStorage.sqlite' (WhatsApp Messages)](<br>
- **Windows 10** <br>
- [Samsung Flow App 'Notifications.db']( - *Note:* dB Files are EFS encrypted <br>
- [Encapsulation.db]( found at 'C:\Windows\appcompat\encapsulation\Encapsulation.db' <br>
- **Windows 10/11 diagnostics stuff**
*from `C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db` '`(*)` ([more info here](*
- [ClipboardHistory]( <br>
- [SoftwareUpdateClientTelemetry]( <br>
- [Edge & Apps WebHistory]( <br>
- [Virtual Desktop]( <br>
- [YourPhone app]( <br>
- [Windows.Networking]( <br>
- [**NetworkingTriage**]( *(includes info from Windows.Networking)*<br>
- [**AppInteractivity + AppInteractivitySummary**]( *(more info [here](*<br>
- [Device Census (settings)]( <br>
- [DxgKrnlTelemetry Client Running Time]( <br>
- [AppStateChangeSummary]( <br>
- [ProcessLoggingFile & ProcessLoggingRegistry]( <br>
- [FileSystem NTFS,EXFAT,FAT Mount + Volume Info]( <br>
- [Microsoft.Windows.Inventory.Core.Install]( *(installation [state]( for all hardware and software components). <br>
- [TextInputSessions]( <br>
- ----------
- [List unigue Event Names in the dB]( <br>
- *Sample event name lists:* <br>
1. [(csv1 with 3400+)]( names <br>
2. [(csv2 with 2800+)]( names compiled from <br>
2a. [Win10 csv]( & <br>
2b. [Win11 csv (VM)]( <br>
`(*)` Adjust settings:
`HKLM: SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\EventTranscriptKey`
- DWORD `EnableEventTranscript` *(0: disabled, 1: enabled)*
- DWORD `HoursOfHistoryToKeep` *(in hours)*
- DWORD `MaxStoreSize` *(nr of bytes)*
- DWORD `RequestedMaxStoreSize` *(nr of bytes, same as above)*