Investigating Windows Notepad++ Desktop Application
30/12/2022 Friday
Windows Notepad++ desktop application is a free open-source text and source code editor. The application has been developed as an extension of the Windows default Notepad application with much more user-friendly features. Notepad++ is also commonly used by programmers as it supports the syntax for most of the popular programming languages.
Digital Forensics Value of Windows Notepad++ Desktop Application
Notepad++ on Windows can retain useful data as it supports various file extensions. By analyzing its left behind artifacts, we can retrieve valuable details about the files that have been opened/edited using the application. It is even possible in certain cases to retrieve backed-up versions stored by Notepad++. These details can be used to track and recover files on the user device.
Location and Structure of Windows Notepad++ Artifacts
Windows Notepad++ artifacts are found in the following location:
C:\Users\%user%\AppData\Roaming\Notepad++\
C:\Users\%user%\AppData\Roaming\Notepad++\backup
Analyzing Windows Notepad++ with ArtiFast
This section will discuss how to use ArtiFast to extract Notepad++ from Windows and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Windows Notepad++ artifacts:
×
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Windows Notepad++ artifacts in ArtiFast.
Notepad++ Sessions Artifact
- File Name - The name of the file opened.
- File Extension - The extension of the file opened.
- Backup File Path - If the file has an automatic backup (if it has been edited and not saved).
- Language - The programming language used to write the file.
- User Read Only - Indicates whether the user has the permission to edit the file or not.
- Modification Date - The modification date and time.
Notepad++ Last Opened Files Artifact
- File Name - The name of the file opened.
- File Extension - The extension of the file opened.
- File Path - The file path of the file opened in the computer file system.
Notepad++ Backups Artifact
- File Name - The name of the file opened.
- Content - The content of the file.
- Modification Date - The last modification date and time on Notepad++.
For more information or suggestions please contact: kalthoum.karkazan@forensafe.com
