Investigating ExpressVPN
07/10/2022 Friday
ExpressVPN is a paid virtual private network service for home and individual use. The app is available for a wide range of devices, including Windows, macOS, Linux, Android, and iOS. According to the ExpressVPN website, it provides better anonymity than other VPN services. However, ExpressVPN doesn't offer trial or free versions, unlike other VPN services.
Digital Forensics Value of ExpressVPN Artifacts
ExpressVPN is another commercial VPN service. Unlike other services, ExpressVPN claims it doesn’t collect user connection logs. Therefore, in the event of illegal network activity or cyber-attack cases, investigators may find themselves in need of analyzing artifacts left by the app.
Location of ExpressVPN Artifacts
After the installation, ExpressVPN software details and user configurations are stored at the following locations:
C:\Users\%Username%\AppData\Local\ExpressVPN
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products
Analyzing ExpressVPN Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract ExpressVPN artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select ExpressVPN artifacts:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the ExpressVPN artifacts in ArtiFast.
Express VPN General Information: This artifact contains general information related to the app.
- Program Name - Software name.
- Program Version - Software version.
- Installation Date - Software installation date.
- File Size - Estimated installed software size in megabytes.
ExpressVPN Settings: This artifact contains information about the settings and configuration set by the user.
- Is Subscription Expired - Indicates whether the subscription is expired or not.
- Connections Count - Indicates the number of successful connections.
- Is Connected - Indicates whether the connection was made successfully or not.
For more information or suggestions please contact: ummulkulthum.wambai@forensafe.com
