Microsoft Defender Antivirus (formerly known as Windows Defender) is a built-in antivirus software from Microsoft Windows. It was first released for Windows XP with limited capabilities but, it evolved ever since to a full antivirus software offering services such as real-time protection, browser integration, and application guard.
Windows in all its versions is the most used operating system around the world for both commercial and personal use. Windows has hundreds of built-in tools including Microsoft Defender; which makes it one of the most used antivirus software. Having information about the course of events and the threats detected on a system can be of great aid during forensic investigation.
Windows Defender artifacts are found at the following location :
%systempartititon%\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory
This section will discuss how to use ArtiFast to extract Windows Defender from Windows and what kind of digital forensics insight we can gain from the artifacts
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Windows Defender:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of iOS Windows Defender artifacts in ArtiFast.
Windows Defender Detected Threats Artifact
For more information or suggestions please contact: amro.alshadfan@forensafe.com