[sqlite3] sqlite to analyse windows notification #bash #malware #forensic #tips

sqlite3-windows-notification.md

sqlitebrowser

file=/vol6/Users/Angela/AppData/Local/Microsoft/Windows/Notifications/wpndatabase.db
sqlitebrowser ${file}

query

SELECT datetime((ArrivalTime/10000000)-11644473600, 'unixepoch') AS ArrivalTime,
datetime((ExpiryTime/10000000)-11644473600, 'unixepoch') AS ExpiryTime,
Type, HandlerId, Notification.Id, Payload, Tag, 'Group', 'Order', PrimaryId, HandlerType, WNFEventName, CreatedTime as HandlerCreatedTime, ModifiedTime as HandlerModifiedTime
FROM Notification LEFT JOIN NotificationHandler ON Notification.HandlerId = NotificationHandler.RecordId