{"id":18437821,"url":"https://github.com/kacos2000/queries","last_synced_at":"2025-08-10T16:09:19.798Z","repository":{"id":65610974,"uuid":"137330086","full_name":"kacos2000/Queries","owner":"kacos2000","description":"SQLite queries","archived":false,"fork":false,"pushed_at":"2023-03-08T19:42:44.000Z","size":610,"stargazers_count":80,"open_issues_count":0,"forks_count":11,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-04-07T20:43:49.367Z","etag":null,"topics":["android","chrome","database","dfir","dropbox","firefox","foreniscs","forensic","googledrive","ios","mozilla","opera","queries","skype","sqlite3","viber","whatsup","windows-10","windows-11"],"latest_commit_sha":null,"homepage":"https://kacos2000.github.io/Queries/","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kacos2000.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"kacos2000"}},"created_at":"2018-06-14T08:35:50.000Z","updated_at":"2025-04-02T21:23:16.000Z","dependencies_parsed_at":"2025-04-07T20:36:24.064Z","dependency_job_id":"740cafd5-c7d7-49dc-872a-21ed72df3563","html_url":"https://github.com/kacos2000/Queries","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/kacos2000/Queries","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kacos2000%2FQueries","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kacos2000%2FQueries/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kacos2000%2FQueries/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kacos2000%2FQueries/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kacos2000","download_url":"https://codeload.github.com/kacos2000/Queries/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kacos2000%2FQueries/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269748230,"owners_count":24469107,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-10T02:00:08.965Z","response_time":71,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","chrome","database","dfir","dropbox","firefox","foreniscs","forensic","googledrive","ios","mozilla","opera","queries","skype","sqlite3","viber","whatsup","windows-10","windows-11"],"created_at":"2024-11-06T06:16:14.134Z","updated_at":"2025-08-10T16:09:19.765Z","avatar_url":"https://github.com/kacos2000.png","language":"PowerShell","funding_links":["https://github.com/sponsors/kacos2000"],"categories":[],"sub_categories":[],"readme":" ## SQLite queries ##\n - \n - **Browsers**\n - Mozilla Firefox *61+*:\n - [firefox_places.sql](https://github.com/kacos2000/queries/blob/master/firefox_places.sql) \n - [firefox_favicons.sql](https://github.com/kacos2000/queries/blob/master/firefox_favicons.sql) \n - [firefox_formhistory.sql](https://github.com/kacos2000/queries/blob/master/firefox_formhistory.sql) \n - [firefox_contentprefs.sql](https://github.com/kacos2000/queries/blob/master/firefox_contentprefs.sql) \n \n - Opera *54+*\n - [Opera_History.sql](https://github.com/kacos2000/queries/blob/master/Opera_History.sql)\n - [Chrome_favicons.sql](https://github.com/kacos2000/queries/blob/master/chrome_favicons.sql) *(works with Opera as well)*\n \n - Chrome *67+*\n - [Opera_History.sql](https://github.com/kacos2000/queries/blob/master/Opera_History.sql) *(works with Chrome as well)*\n - [Chrome_favicons.sql](https://github.com/kacos2000/queries/blob/master/chrome_favicons.sql)\n\n \n - **Skype** *(version 7.21 \u0026 7.41 dBs)* \n \n - [skype_main.sql](https://github.com/kacos2000/queries/blob/master/skype_main_db.sql)\u003cbr\u003e\n Query Skype's *(Classic)* main.db for chats \u0026 file transfers.\u003cbr\u003e\n \n - [skype_cache_db](https://github.com/kacos2000/queries/blob/master/skype_cache_db.sql)\u003cbr\u003e\n Query Skype's *(Classic)* both cache_db.db databases found at AppData\\Roaming\\UserProfile\\media_messaging\\ \u003cbr\u003e\n - 'emo_cache_v2\\asyncdb\\cache_db' *(cached Emoticons etc)* \u0026 \u003cbr\u003e \n - 'media_cache_v3\\asyncdb\\cache_db' *(Cached Sent \u0026 Received images)* folders.\u003cbr\u003e\n \n - [PowerShell script/sqlite query](https://github.com/kacos2000/queries/blob/master/cache_db.ps1) so that you can view the Hex Blob output\u003cbr\u003e\n - [Sample Output (csv)](https://github.com/kacos2000/queries/blob/master/cache_db.csv)\u003cbr\u003e\u003cbr\u003e\n\n\n - **Google Drive** \u003cbr\u003e \n - Query Google Drive's [snapshot.db](https://github.com/kacos2000/queries/blob/master/GDrive_snapshot.sql) found at the '\\AppData\\Local\\Google\\Drive\\user@' folder .\u003cbr\u003e\n - Query Google Drive's [cloud_graph.db](https://github.com/kacos2000/queries/blob/master/GDrive_cloudgraph.sql) found at the '\\AppData\\Local\\Google\\Drive\\user@\\cloud_graph' folder \u003cbr\u003e\u003cbr\u003e\n \n - **Android** \u003cbr\u003e \n - [Android 7 Calllog.db (Call history)](https://github.com/kacos2000/queries/blob/master/calllog_db.sql)\u003cbr\u003e\n - [Android 7 Contacts2.db (Contacts)](https://github.com/kacos2000/queries/blob/master/contacts2.sql)\u003cbr\u003e\n - [Android 9 Contacts2.db (Call history)](https://github.com/kacos2000/queries/blob/master/contacts2calls.sql)\u003cbr\u003e\n - [Android logs.db (Samsung Calls/messages)](https://github.com/kacos2000/queries/blob/master/logs_db.sql)\u003cbr\u003e\u003cbr\u003e\n \n - **IOS** \u003cbr\u003e \n - [IOS 'Accounts3.sqlite' (Accounts)](https://github.com/kacos2000/queries/blob/master/Accounts3_sqlite.sql)\u003cbr\u003e\n - [IOS 'calendar.sqlitedb' (Calendar)](https://github.com/kacos2000/queries/blob/master/calendar_sqlitedb.sql)\u003cbr\u003e\n - [IOS 'Extras.db' (Calendar)](https://github.com/kacos2000/queries/blob/master/calendar_extras.sql)\u003cbr\u003e\n - [IOS 'AddressBook.sqlitedb' (AddressBook)](https://github.com/kacos2000/queries/blob/master/AddressBook_sqlite.sql)\u003cbr\u003e\n - [IOS 'AddressBookImages.sqlitedb' (AddressBook Images)](https://github.com/kacos2000/queries/blob/master/AddressBookImages_sqlite.sql)\u003cbr\u003e\n - [IOS 11 'Photos.sqlite'](https://github.com/kacos2000/queries/blob/master/Photos_sqlite11.sql)\u003cbr\u003e\n - [IOS 7+ 'Photos.sqlite'](https://github.com/kacos2000/queries/blob/master/Photos_sqlite.sql)\u003cbr\u003e\n - [IOS 3 'Photos.sqlite'](https://github.com/kacos2000/queries/blob/master/Photos_sqlite3.sql)\u003cbr\u003e\n - [IOS 'iPhotoLite.db'](https://github.com/kacos2000/queries/blob/master/iPhotoLitedb.sql)\u003cbr\u003e\n - [IOS 'healthdb.sqlite'](https://github.com/kacos2000/queries/blob/master/healthdb.sql)\u003cbr\u003e\n - [IOS 'healthdb_secure.sqlite'](https://github.com/kacos2000/queries/blob/master/healthdb_secure.sql)\u003cbr\u003e\n - [IOS 'knowledgec.db'](https://github.com/kacos2000/queries/blob/master/knowledgec_db.sql)\u003cbr\u003e\n - [IOS 'notes.sqlite'](https://github.com/kacos2000/queries/blob/master/notes_sqlite.sql)\u003cbr\u003e\n - [IOS 'Recents' db (Mail)](https://github.com/kacos2000/queries/blob/master/recents.sql)\u003cbr\u003e\n - [IOS 'sms.db' (SMS/iMessages)](https://github.com/kacos2000/queries/blob/master/sms_db.sql)\u003cbr\u003e\n - [IOS 'callhistory.storedata' (Call history)](https://github.com/kacos2000/queries/blob/master/callhistory_storedata.sql)\u003cbr\u003e \n - [Hike Sticker Chat (com.bsb.hike)](https://github.com/kacos2000/queries/blob/master/bsb_hike_messagesDB_sqlite.sql)\u003cbr\u003e\n - ['contacts.data' (Viber Messages)](https://github.com/kacos2000/queries/blob/master/Viber_Contacts_Data_messages.sql)\u003cbr\u003e \n - ['ChatStorage.sqlite' (WhatsApp Messages)](https://github.com/kacos2000/queries/blob/master/WhatsApp_Chatstorage_sqlite.sql)\u003cbr\u003e \n \n - **Windows 10** \u003cbr\u003e \t \n - [Samsung Flow App 'Notifications.db'](https://github.com/kacos2000/queries/blob/master/Samsung_Flow_Notifications_db.sql) - *Note:* dB Files are EFS encrypted \u003cbr\u003e\n - [Encapsulation.db](https://github.com/kacos2000/Queries/blob/master/Encapsulationdb.sql) found at 'C:\\Windows\\appcompat\\encapsulation\\Encapsulation.db' \u003cbr\u003e \n\n - **Windows 10/11 diagnostics stuff** \n *from `C:\\ProgramData\\Microsoft\\Diagnosis\\EventTranscript\\EventTranscript.db` '`(*)` ([more info here](https://github.com/rathbuna/EventTranscript.db-Research))* \n - [ClipboardHistory](https://github.com/kacos2000/Queries/blob/master/ClipboardHistory.Service.sql) \u003cbr\u003e\n - [TaskFlow DataEngine](https://github.com/kacos2000/Queries/blob/master/TaskFlow.sql) \u003cbr\u003e\n - [SoftwareUpdateClientTelemetry](https://github.com/kacos2000/Queries/blob/master/SoftwareUpdateClientTelemetry.sql) \u003cbr\u003e \n - [Edge \u0026 Apps WebHistory](https://github.com/kacos2000/Queries/blob/master/Microsoft.WebBrowser.sql) \u003cbr\u003e \n - [Virtual Desktop](https://github.com/kacos2000/Queries/blob/master/VirtualDesktop.sql) \u003cbr\u003e\n - [YourPhone app](https://github.com/kacos2000/Queries/blob/master/MobilityExperience.YourPhone.sql) \u003cbr\u003e\n - [Windows.Networking](https://github.com/kacos2000/Queries/blob/master/Windows.Networking.sql) \u003cbr\u003e\n - [**NetworkingTriage**](https://github.com/kacos2000/Queries/blob/master/NetworkingTriage.sql) *(includes info from Windows.Networking)*\u003cbr\u003e\n - [**AppInteractivity + AppInteractivitySummary**](https://github.com/kacos2000/Queries/blob/master/AppInteractivity.sql) *(more info [here](https://www.kroll.com/en/insights/publications/cyber/forensically-unpacking-eventtranscript/forensic-quick-wins-with-eventtranscript))*\u003cbr\u003e\n - [Device Census (settings)](https://github.com/kacos2000/Queries/blob/master/Census.sql) \u003cbr\u003e\n - [DxgKrnlTelemetry Client Running Time](https://github.com/kacos2000/Queries/blob/master/ClientRunningTime.sql) \u003cbr\u003e\n - [AppStateChangeSummary](https://github.com/kacos2000/Queries/blob/master/AppStateChangeSummary.sql) \u003cbr\u003e\n - [ProcessLoggingFile \u0026 ProcessLoggingRegistry](https://github.com/kacos2000/Queries/blob/master/ProcessLogging.sql) \u003cbr\u003e\n - [FileSystem NTFS,EXFAT,FAT Mount + Volume Info](https://github.com/kacos2000/Queries/blob/master/FileSystem.Mount.sql) \u003cbr\u003e\n - [Microsoft.Windows.Inventory.Core.Install](https://github.com/kacos2000/Queries/blob/master/Inventory.sql) *(installation [state](https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709#microsoftwindowsinventorycoreinventoryapplicationadd) for all hardware and software components).* \u003cbr\u003e\n - [TextInputSessions](https://github.com/kacos2000/Queries/blob/master/Text-InputSession.sql) \u003cbr\u003e\n - [Immersive-Shell](https://github.com/kacos2000/Queries/blob/master/Immersive-Shell.sql) \u003cbr\u003e\n - [User Account Control (UAC)](https://github.com/kacos2000/Queries/blob/master/UAC.sql) *(UAC/LUA ConsentUILaunched)*\u003cbr\u003e\n - ----------\n - [List unigue Event Names in the dB](https://github.com/kacos2000/Queries/blob/master/EventTranscript_GetEventNameList.sql) \u003cbr\u003e\n - *Sample event name lists:* \u003cbr\u003e \n 1. [(csv1 with 3400+)](https://github.com/kacos2000/Queries/blob/master/full_event_names_large.csv) names \u003cbr\u003e \n 2. [(csv2 with 2800+)](https://github.com/kacos2000/Queries/blob/master/full_event_names.csv) names compiled from \u003cbr\u003e \n 2a. [Win10 csv](https://github.com/kacos2000/Queries/blob/master/full_event_names1.csv) \u0026 \u003cbr\u003e \n 2b. [Win11 csv (VM)](https://github.com/kacos2000/Queries/blob/master/full_event_names2.csv) \u003cbr\u003e\n - *[Event Tracing GUID + Provider name list](https://github.com/kacos2000/Queries/blob/master/providers.txt)* \u003cbr\u003e \n - *(Related event log: 'Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx')*\n - ----------\n \n`(*)` Adjust settings:\n`HKLM: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\EventTranscriptKey`\n - DWORD `EnableEventTranscript` *(0: disabled, 1: enabled)*\n - DWORD `HoursOfHistoryToKeep` *(in hours)*\n - DWORD `MaxStoreSize` *(nr of bytes)*\n - DWORD `RequestedMaxStoreSize` *(nr of bytes, same as above)*\n \u003cbr\u003e\u003cbr\u003e\n\n\n - **Windows 11 Search data** *(new 22H2+ SQLite3 dBs)*\u003cbr\u003e\n *found at 'C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows'*\u003cbr\u003e\n - [PropertyMap](https://github.com/kacos2000/Queries/blob/master/Win_Search_PropertyMap.sql)\n - [Paths (SystemIndex_1_PropertyStore) query](https://github.com/kacos2000/Queries/blob/master/Win_Search_PropertyStore.sql)\n - [SecurityDescriptor (SecStore.db) query](https://github.com/kacos2000/Queries/blob/master/Win_Search_SecStore.sql)\n - [Paths/Files \u0026 Timestamps (Windows-gather.db)](https://github.com/kacos2000/Queries/blob/master/Win_Search_gatherdB.sql)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkacos2000%2Fqueries","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkacos2000%2Fqueries","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkacos2000%2Fqueries/lists"}