Windows Notepad++ desktop application is a free open-source text and source code editor. The application has been developed as an extension of the Windows default Notepad application with much more user-friendly features. Notepad++ is also commonly used by programmers as it supports the syntax for most of the popular programming languages.
Notepad++ on Windows can retain useful data as it supports various file extensions. By analyzing its left behind artifacts, we can retrieve valuable details about the files that have been opened/edited using the application. It is even possible in certain cases to retrieve backed-up versions stored by Notepad++. These details can be used to track and recover files on the user device.
Windows Notepad++ artifacts are found in the following location:
This section will discuss how to use ArtiFast to extract Notepad++ from Windows and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Windows Notepad++ artifacts:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Windows Notepad++ artifacts in ArtiFast.
Notepad++ Sessions Artifact
Notepad++ Last Opened Files Artifact
Notepad++ Backups Artifact
For more information or suggestions please contact: [email protected]