From 29c2307eb970793918a86785fb1bb008638d5e85 Mon Sep 17 00:00:00 2001
From: Zane Gittins <22203776+zaneGittins@users.noreply.github.com>
Date: Wed, 4 Dec 2024 08:15:10 -0800
Subject: [PATCH] Create Windows.Forensics.NotificationsDatabase.yaml

---
 ...ndows.Forensics.NotificationsDatabase.yaml | 59 +++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 content/exchange/artifacts/Windows.Forensics.NotificationsDatabase.yaml

diff --git a/content/exchange/artifacts/Windows.Forensics.NotificationsDatabase.yaml b/content/exchange/artifacts/Windows.Forensics.NotificationsDatabase.yaml
new file mode 100644
index 00000000000..fa16e14639d
--- /dev/null
+++ b/content/exchange/artifacts/Windows.Forensics.NotificationsDatabase.yaml
@@ -0,0 +1,59 @@
+name: Windows.Forensics.NotificationsDatabase
+author: Zane Gittins
+description: |
+   Parses the Win10/11 notifications database, which contains events for badges, tiles, and toasts shown to each user.
+
+# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT or NOTEBOOK
+type: CLIENT
+
+parameters:
+   - name: UserRegex
+     default: .
+   - name: SearchGlob
+     default: "C:/Users/*/AppData/Local/Microsoft/Windows/Notifications/wpndatabase.db"
+
+sources:
+  - precondition:
+      SELECT OS From info() where OS = 'windows'
+
+    query: |
+       LET Files <= SELECT *
+         FROM glob(globs=SearchGlob)
+         WHERE OSPath =~ UserRegex
+       LET Notifications <= SELECT *
+         FROM foreach(
+           row=Files,
+           query={
+             SELECT *
+             FROM sqlite(file=OSPath,
+                         accessor="auto",
+                         query="SELECT * FROM Notification")
+           })
+       LET Handlers <= SELECT *
+         FROM foreach(
+           row=Files,
+           query={
+             SELECT *
+             FROM sqlite(file=OSPath,
+                         accessor="auto",
+                         query="SELECT * FROM NotificationHandler")
+           })
+       LET Results = SELECT *, {
+                              SELECT *
+                              FROM Handlers
+                              WHERE RecordId = HandlerId
+                            } AS HandlerInfo
+         FROM Notifications
+       SELECT Id,
+              HandlerInfo.PrimaryId AS Application,
+              HandlerId,
+              Type,
+              timestamp(winfiletime=ExpiryTime) AS ExpiryTime,
+              timestamp(winfiletime=ArrivalTime) AS ArrivalTime,
+              Payload AS PayloadRaw,
+              Tag,
+              Group,
+              DataVersion,
+              PayloadType,
+              HandlerInfo
+       FROM Results