Windows Push Notification DB Parser (wpn)
Introduction
Starting in Windows 8, Microsoft created the Windows Push Notification Services (WNS) to allow applications to send toast, tile, badge and raw updates. The tiles are updates on application tiles such weather updates, stock updates, etc. The toasts are another word for popups that occur, for example, when a new device is plugged into the computer requesting what action to take place. The badges are small overlays on the tiles on the desktop used to show the status or act as an active counter.
Later versions of Windows 10 made changes to the internal store format of the notification records. The newer updated format makes use the SQLite architecture to store the data. Similar to the older style database, each user account has its own database instance to record the users notifications. The wpm tool only targets the newer format of the notifications in Windows 10 and not the older format that was used.
Below is example of the operating system issuing a toast that a new device was attached to the computer that have a volume label as Junk. The icon on the bottom right is an example of a badge displaying the 2 value to show the Action Center has 2 new messages. If one is interested when volumes were attached to the machine, this is one source of data, if the record of the toast can be recovered.
When using wpm to look at the internals of the toast and examining what data is captured, one can see the time the notification was sent out and the message that was displayed to the user. While this is a simple example, many other actions are recorded and can be parsed out.
How to use this tool
Many of the options used in previous TZWorks tools are carried forward with this tool. One can pipe in multiple databases from standard input into the tool to process many artifacts in one session. Timestamps can be manipulated so as to affect the desired resolution and/or format. Reports can be rendered either in CSV, Log2Timeline, or bodyfile formats. Below are the options for this tool.
One of the interesting options in wpm is its ability to scan the SQLite database's ununsed regions and slack space areas to recover discarded records. This option is -incl_slack. There is another option to bypass the SQLite library that is embedded into the tool and just carve out records, using the -carve option. When using the -carve and/or the incl_slack option, the output results will have some additional annotations that includes the absolute offset within the database where the records were pulled/recovered (see snapshot below):
For More information
The user's guide can be viewed here
If you would like more information about wpm, contact us via email.
Downloads
Intel 32-bit Version | Intel 64-bit Version | ARM 64-bit Version | ||||
Windows: | wpn32.v.0.30.win.zip | wpn64.v.0.30.win.zip | wpn64a.v.0.30.win.zip | md5/sha1 | ||
Linux: | wpn32.v.0.30.lin.tar.gz | wpn64.v.0.30.lin.tar.gz | wpn64a.v.0.30.lin.tar.gz | md5/sha1 | ||
Mac OS X: | Not Available | wpn.v.0.30.dmg | wpn.v.0.30.dmg | md5/sha1 | ||
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present. |