This note documents detection patterns related to Windows Push Notifications / User-visible Application Telemetry within Windows environments.
- Triage with
sqlite3orDB Browser for SQLite - the
.walfiles contain uncommitted transactions and should be merged prior investigation
Direct Indicators
| Source | Table / Field | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| wpndatabase.db | Notification.Payload | Full toast content shown to user | Critical | Often contains exact message text |
| wpndatabase.db | Notification.ArrivalTime | Local notification arrival timestamp | Critical | FILETIME format |
| wpndatabase.db | Notification.ExpiryTime | Notification expiration timestamp | High | Helps timeline reconstruction |
| wpndatabase.db | NotificationHandler | Source application mapping | Critical | Identifies app generating toast |
| wpndatabase.db | HandlerAssets | App icon / asset references | Medium | Useful for source attribution |
| wpndatabase.db-wal | Recent uncommitted notifications | Critical | Often freshest evidence | |
| Notification Cache | Cached images | Medium | Avatar / sender / logo evidence |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Slack toast with message body | Message rendered locally | Critical | Confirms endpoint delivery |
| Teams / Outlook alert | User communication event | High | Correlates with mailbox/chat evidence |
| MFA prompt | Login / auth interaction | Critical | Strong auth timeline signal |
| Browser push alert | Web activity | High | Confirms active session |
| Security warning toast | Defender / AV alert | Critical | Security control response |
| Repeated notification burst | Session activity window | High | Helps user presence analysis |