Blog >> Windows Defender

Investigating Windows Defender

02/12/2022 Friday

Microsoft Defender Antivirus (formerly known as Windows Defender) is a built-in antivirus software from Microsoft Windows. It was first released for Windows XP with limited capabilities but, it evolved ever since to a full antivirus software offering services such as real-time protection, browser integration, and application guard.

Digital Forensics Value of Windows Defender


Windows in all its versions is the most used operating system around the world for both commercial and personal use. Windows has hundreds of built-in tools including Microsoft Defender; which makes it one of the most used antivirus software. Having information about the course of events and the threats detected on a system can be of great aid during forensic investigation.

Location of Windows Defender Artifacts


Windows Defender artifacts are found at the following location :
%systempartititon%\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory




Analyzing Windows Defender Artifacts with ArtiFast

This section will discuss how to use ArtiFast to extract Windows Defender from Windows and what kind of digital forensics insight we can gain from the artifacts

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Windows Defender:






Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of iOS Windows Defender artifacts in ArtiFast.


Windows Defender Detected Threats Artifact




For more information or suggestions please contact: [email protected]