Windows Terminal is the modern terminal application in Windows 10 operating system. It is a terminal application for command-line tools and shells like command prompt, PowerShell, and Windows Subsystem for Linux (WSL). Windows Terminal can only be installed on Windows 10 version 18362.0 or higher.
Windows Terminal can interpret various command-line applications. The versatility of the Windows Terminal provides valuable information during the investigations. Especially the settings of the Windows Terminal provides information about the installed command-line tools. Stored values give details about WSL, including remote IP addresses, domain name and port numbers used.
Windows Terminal data can be extracted from the following location:
Windows Terminal is a package that can be installed from the Microsoft Store. After installation, the Windows Terminal application creates a “settings.json” file under the C:\Users\%UserProfile%\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\ directory. This file is text based and it contains configuration details of the Windows Terminal application.
This section will discuss how to use ArtiFast Windows to extract Windows Terminal artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Windows Terminal artifact:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the Windows Terminal artifacts in ArtiFast.
Windows Terminal Artifact
The artifact contains information related to Windows Terminal application. The details you can view include:
For more information or suggestions please contact: firstname.lastname@example.org