Blog >> Windows Notepad++ Desktop Application

Investigating Windows Notepad++ Desktop Application

30/12/2022 Friday

Windows Notepad++ desktop application is a free open-source text and source code editor. The application has been developed as an extension of the Windows default Notepad application with much more user-friendly features. Notepad++ is also commonly used by programmers as it supports the syntax for most of the popular programming languages.

Digital Forensics Value of Windows Notepad++ Desktop Application

Notepad++ on Windows can retain useful data as it supports various file extensions. By analyzing its left behind artifacts, we can retrieve valuable details about the files that have been opened/edited using the application. It is even possible in certain cases to retrieve backed-up versions stored by Notepad++. These details can be used to track and recover files on the user device.

Location and Structure of Windows Notepad++ Artifacts

Windows Notepad++ artifacts are found in the following location:

Analyzing Windows Notepad++ with ArtiFast

This section will discuss how to use ArtiFast to extract Notepad++ from Windows and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Windows Notepad++ artifacts:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Windows Notepad++ artifacts in ArtiFast.

Notepad++ Sessions Artifact

Notepad++ Last Opened Files Artifact

Notepad++ Backups Artifact

For more information or suggestions please contact: