Queries
Queries copied to clipboard
kacos2000
SQLite queries
SQLite queries
-
-
Browsers
-
Mozilla Firefox 61+:
-
Opera 54+
- Opera_History.sql
- Chrome_favicons.sql (works with Opera as well)
-
Chrome 67+
- Opera_History.sql (works with Chrome as well)
- Chrome_favicons.sql
-
-
Skype (version 7.21 & 7.41 dBs)
-
skype_main.sql
Query Skype's (Classic) main.db for chats & file transfers. -
skype_cache_db
Query Skype's (Classic) both cache_db.db databases found at AppData\Roaming\UserProfile\media_messaging\- 'emo_cache_v2\asyncdb\cache_db' (cached Emoticons etc) &
- 'media_cache_v3\asyncdb\cache_db' (Cached Sent & Received images) folders.
- 'emo_cache_v2\asyncdb\cache_db' (cached Emoticons etc) &
-
PowerShell script/sqlite query so that you can view the Hex Blob output
-
-
Google Drive
- Query Google Drive's snapshot.db found at the '\AppData\Local\Google\Drive\user@' folder .
- Query Google Drive's cloud_graph.db found at the '\AppData\Local\Google\Drive\user@\cloud_graph' folder
- Query Google Drive's snapshot.db found at the '\AppData\Local\Google\Drive\user@' folder .
-
Android
-
IOS
-
IOS 'Accounts3.sqlite' (Accounts)
-
IOS 'calendar.sqlitedb' (Calendar)
-
IOS 'Extras.db' (Calendar)
-
IOS 'AddressBook.sqlitedb' (AddressBook)
-
IOS 'AddressBookImages.sqlitedb' (AddressBook Images)
-
IOS 11 'Photos.sqlite'
-
IOS 7+ 'Photos.sqlite'
-
IOS 3 'Photos.sqlite'
-
IOS 'iPhotoLite.db'
-
IOS 'healthdb.sqlite'
-
IOS 'healthdb_secure.sqlite'
-
IOS 'knowledgec.db'
-
IOS 'notes.sqlite'
-
IOS 'Recents' db (Mail)
-
IOS 'sms.db' (SMS/iMessages)
-
IOS 'callhistory.storedata' (Call history)
-
Hike Sticker Chat (com.bsb.hike)
-
'contacts.data' (Viber Messages)
-
'ChatStorage.sqlite' (WhatsApp Messages)
-
IOS 'Accounts3.sqlite' (Accounts)
-
Windows 10
-
Samsung Flow App 'Notifications.db' - Note: dB Files are EFS encrypted
-
Encapsulation.db found at 'C:\Windows\appcompat\encapsulation\Encapsulation.db'
-
Samsung Flow App 'Notifications.db' - Note: dB Files are EFS encrypted
-
Windows 10/11 diagnostics stuff
fromC:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db'(*)(more info here)-
ClipboardHistory
-
TaskFlow DataEngine
-
SoftwareUpdateClientTelemetry
-
Edge & Apps WebHistory
-
Virtual Desktop
-
YourPhone app
-
Windows.Networking
-
NetworkingTriage (includes info from Windows.Networking)
-
AppInteractivity + AppInteractivitySummary (more info here)
-
Device Census (settings)
-
DxgKrnlTelemetry Client Running Time
-
AppStateChangeSummary
-
ProcessLoggingFile & ProcessLoggingRegistry
-
FileSystem NTFS,EXFAT,FAT Mount + Volume Info
-
Microsoft.Windows.Inventory.Core.Install (installation state for all hardware and software components).
-
TextInputSessions
-
Immersive-Shell
-
User Account Control (UAC) (UAC/LUA ConsentUILaunched)
-
List unigue Event Names in the dB
-
Sample event name lists:
-
(csv1 with 3400+) names
-
(csv2 with 2800+) names compiled from
2a. Win10 csv &
2b. Win11 csv (VM)
-
(csv1 with 3400+) names
-
Event Tracing GUID + Provider name list
- (Related event log: 'Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx')
-
ClipboardHistory
-
(*) Adjust settings:
HKLM: SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\EventTranscriptKey
-
DWORD
EnableEventTranscript(0: disabled, 1: enabled) -
DWORD
HoursOfHistoryToKeep(in hours) -
DWORD
MaxStoreSize(nr of bytes) -
DWORD
RequestedMaxStoreSize(nr of bytes, same as above)-
Windows 11 Search data (new 22H2+ SQLite3 dBs)
found at 'C:\ProgramData\Microsoft\Search\Data\Applications\Windows'
-
Windows 11 Search data (new 22H2+ SQLite3 dBs)
kacos2000