ExpressVPN is a paid virtual private network service for home and individual use. The app is available for a wide range of devices, including Windows, macOS, Linux, Android, and iOS. According to the ExpressVPN website, it provides better anonymity than other VPN services. However, ExpressVPN doesn't offer trial or free versions, unlike other VPN services.
ExpressVPN is another commercial VPN service. Unlike other services, ExpressVPN claims it doesn’t collect user connection logs. Therefore, in the event of illegal network activity or cyber-attack cases, investigators may find themselves in need of analyzing artifacts left by the app.
After the installation, ExpressVPN software details and user configurations are stored at the following locations:
This section will discuss how to use ArtiFast to extract ExpressVPN artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select ExpressVPN artifacts:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the ExpressVPN artifacts in ArtiFast.
Express VPN General Information: This artifact contains general information related to the app.
ExpressVPN Settings: This artifact contains information about the settings and configuration set by the user.
For more information or suggestions please contact: firstname.lastname@example.org