-
-
Browsers
-
Mozilla Firefox 61+:
-
Opera 54+
- Opera_History.sql
- Chrome_favicons.sql (works with Opera as well)
-
Chrome 67+
- Opera_History.sql (works with Chrome as well)
- Chrome_favicons.sql
-
-
Skype (version 7.21 & 7.41 dBs)
-
skype_main.sql
Query Skype's (Classic) main.db for chats & file transfers. -
skype_cache_db
Query Skype's (Classic) both cache_db.db databases found at AppData\Roaming\UserProfile\media_messaging\- 'emo_cache_v2\asyncdb\cache_db' (cached Emoticons etc) &
- 'media_cache_v3\asyncdb\cache_db' (Cached Sent & Received images) folders.
- 'emo_cache_v2\asyncdb\cache_db' (cached Emoticons etc) &
-
PowerShell script/sqlite query so that you can view the Hex Blob output
-
-
Google Drive
- Query Google Drive's snapshot.db found at the '\AppData\Local\Google\Drive\user@' folder .
- Query Google Drive's cloud_graph.db found at the '\AppData\Local\Google\Drive\user@\cloud_graph' folder
- Query Google Drive's snapshot.db found at the '\AppData\Local\Google\Drive\user@' folder .
-
Android
-
IOS
- IOS 'Accounts3.sqlite' (Accounts)
- IOS 'calendar.sqlitedb' (Calendar)
- IOS 'Extras.db' (Calendar)
- IOS 'AddressBook.sqlitedb' (AddressBook)
- IOS 'AddressBookImages.sqlitedb' (AddressBook Images)
- IOS 11 'Photos.sqlite'
- IOS 7+ 'Photos.sqlite'
- IOS 3 'Photos.sqlite'
- IOS 'iPhotoLite.db'
- IOS 'healthdb.sqlite'
- IOS 'healthdb_secure.sqlite'
- IOS 'knowledgec.db'
- IOS 'notes.sqlite'
- IOS 'Recents' db (Mail)
- IOS 'sms.db' (SMS/iMessages)
- IOS 'callhistory.storedata' (Call history)
- Hike Sticker Chat (com.bsb.hike)
- 'contacts.data' (Viber Messages)
- 'ChatStorage.sqlite' (WhatsApp Messages)
- IOS 'Accounts3.sqlite' (Accounts)
-
Windows 10
- Samsung Flow App 'Notifications.db' - Note: dB Files are EFS encrypted
- Encapsulation.db found at 'C:\Windows\appcompat\encapsulation\Encapsulation.db'
- Samsung Flow App 'Notifications.db' - Note: dB Files are EFS encrypted
-
Windows 10/11 diagnostics stuff
fromC:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db'(*)(more info here)- ClipboardHistory
- TaskFlow DataEngine
- SoftwareUpdateClientTelemetry
- Edge & Apps WebHistory
- Virtual Desktop
- YourPhone app
- Windows.Networking
- NetworkingTriage (includes info from Windows.Networking)
- AppInteractivity + AppInteractivitySummary (more info here)
- Device Census (settings)
- DxgKrnlTelemetry Client Running Time
- AppStateChangeSummary
- ProcessLoggingFile & ProcessLoggingRegistry
- FileSystem NTFS,EXFAT,FAT Mount + Volume Info
- Microsoft.Windows.Inventory.Core.Install (installation state for all hardware and software components).
- TextInputSessions
- Immersive-Shell
- User Account Control (UAC) (UAC/LUA ConsentUILaunched)
- List unigue Event Names in the dB
- Sample event name lists:
- (csv1 with 3400+) names
- (csv2 with 2800+) names compiled from
2a. Win10 csv &
2b. Win11 csv (VM)
- (csv1 with 3400+) names
- Event Tracing GUID + Provider name list
- (Related event log: 'Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx')
- ClipboardHistory
-
(*) Adjust settings:
HKLM: SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\EventTranscriptKey
-
DWORD
EnableEventTranscript(0: disabled, 1: enabled) -
DWORD
HoursOfHistoryToKeep(in hours) -
DWORD
MaxStoreSize(nr of bytes) -
DWORD
RequestedMaxStoreSize(nr of bytes, same as above)- Windows 11 Search data (new 22H2+ SQLite3 dBs)
found at 'C:\ProgramData\Microsoft\Search\Data\Applications\Windows'
- Windows 11 Search data (new 22H2+ SQLite3 dBs)