:py:mod:`dissect.target.plugins.os.windows.notifications` ========================================================= .. py:module:: dissect.target.plugins.os.windows.notifications Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.notifications.NotificationsPlugin Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.notifications.appdb_def dissect.target.plugins.os.windows.notifications.c_appdb dissect.target.plugins.os.windows.notifications.APPDB_MAGIC dissect.target.plugins.os.windows.notifications.NUM_APPDB_CHUNKS dissect.target.plugins.os.windows.notifications.AppDBRecord dissect.target.plugins.os.windows.notifications.AppDBPushRecord dissect.target.plugins.os.windows.notifications.AppDBBadgeRecord dissect.target.plugins.os.windows.notifications.AppDBTileRecord dissect.target.plugins.os.windows.notifications.AppDBToastRecord dissect.target.plugins.os.windows.notifications.WpnDatabaseNotificationRecord dissect.target.plugins.os.windows.notifications.WpnDatabaseNotificationHandlerRecord dissect.target.plugins.os.windows.notifications.NOTIFICATIONS_DIR .. py:data:: appdb_def :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ typedef struct { char Magic[4]; // Always b"DNPW" DWORD Version; // Versions 1 (win8) and 3 (win10) seem to exist QWORD Timestamp; // According to some sources this is LastNotificationDate, // but that seems incorrect. DWORD NextNotificationId; DWORD Unknown; char Padding[8]; } ChunkHeader; // size: 0x20 typedef struct { WORD InUse; // ?? WORD NextTileWriteIndex; // ?? WORD NextToastWriteIndex; // ?? BYTE Flags[2]; } ChunkInfo; typedef struct { QWORD Timestamp1; // ?? QWORD Timestamp2; // Is this time to refresh? char Uri[1024]; // Is this the correct size? char Padding[0x818 - 0x410]; } PushDescriptor; // size: 0x818 typedef struct { DWORD Id; DWORD Zero; // ?? QWORD Timestamp; // ?? WORD Unknown; WORD DataLength; char Data[DataLength]; char Padding[0x118 - 0x14 - DataLength]; } BadgeContent; // size: 0x118 typedef struct { DWORD UniqueId; // ?? DWORD Zero; QWORD ExpiryTime; // The time this tile expires QWORD ArrivalTime; // The time this tile was set BYTE Type; // ?? BYTE Index; WORD ContentLength; wchar_t Name[18]; } TileDescriptor; // size: 0x40 typedef struct { DWORD UniqueId; // ?? DWORD Zero; QWORD ExpiryTime; // The time this toast expires QWORD ArrivalTime; // The time this toast was set BYTE Type; // ?? BYTE Index; WORD ContentLength; wchar_t Name1[17]; wchar_t Name2[17]; } ToastDescriptor; // size: 0x60 typedef struct { char Content[0x1400]; } DataXML; // size: 0x1400 typedef struct { ChunkHeader Header; // Only populated for first chunk, else zeroed ChunkInfo Info; PushDescriptor Push; BadgeContent Badge; TileDescriptor Tiles[5]; // start @ 0x958 DataXML TileXml[5]; // For the in use chunks, 0x14 ToastDiscriptors have an Index, but there // is space for more. Maybe this is used in case of deleted entries? ToastDescriptor Toasts[0x14]; // start @ 0x6e98 char Padding1[0x1e00]; // start @ 0x7618 DataXML ToastXml[0x14]; // start @ 0x9418 char Padding2[0x13f8]; // start @ 0x22418 } Chunk; // size: 0x23810 """ .. raw:: html
.. py:data:: c_appdb .. py:data:: APPDB_MAGIC :value: b'DNPW' .. py:data:: NUM_APPDB_CHUNKS :value: 256 .. py:data:: AppDBRecord .. py:data:: AppDBPushRecord .. py:data:: AppDBBadgeRecord .. py:data:: AppDBTileRecord .. py:data:: AppDBToastRecord .. py:data:: WpnDatabaseNotificationRecord .. py:data:: WpnDatabaseNotificationHandlerRecord .. py:data:: NOTIFICATIONS_DIR :value: 'AppData/Local/Microsoft/Windows/Notifications' .. py:class:: NotificationsPlugin(target) Bases: :py:obj:`dissect.target.plugin.Plugin` Plugin that parses the notification databases on Windows 10 machines. .. py:attribute:: __namespace__ :value: 'notifications' .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: appdb() -> Iterator[flow.record.GroupedRecord] Retrun the data from Windows appdb.dat file. This file contains data presentted to the user, pushed by external sources. The appdb.dat file was used from Windows 8 to Windows 10 pre anniversary version. This plugin only supports appdb.dat version 3 from Windows 10. .. rubric:: References - http://www.swiftforensics.com/2016/06/prasing-windows-10-notification-database.html .. py:method:: wpndatabase() Returns Windows Notifications from wpndatabase.db (post Windows 10 Anniversary). .. rubric:: References - https://inc0x0.com/2018/10/windows-10-notification-database/