Blog >> Windows Terminal

Investigating Windows Terminal

06/04/2021 Tuesday

Windows Terminal is a modern terminal program for command line and shell users, such as Command Prompt, PowerShell, and Linux Windows Subsystem (WSL). Multiple windows, panes, support for Unicode and UTF-8 characters, a GPU accelerated text rendering engine and the ability to build your own themes and configure text, colors, backgrounds, and shortcuts are its key features. In addition to that, Windows Terminal now supports mouse input in Windows Subsystem for Linux (WSL) applications as well as Windows applications that use virtual terminal (VT) input.


Digital Forensics Value of Windows Terminal Artifacts


In windows terminal you may use command line arguments to open in a particular configuration. You may decide the profile to open in the new tab, which folder directory to choose, open the split window pane terminal, and pick the tab to concentrate on. tracking such information is critical during the digital forensic analysis process.


Location of Windows Terminal Artifacts


Windows 10: C:\Users\UserName\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\


Structure of Windows Terminal Artifacts


The windows terminal data can be extracted using FTK imager and it is a text file that contains the following attributes:


Analyzing Windows Terminal Artifacts with ArtiFast Windows


This section will discuss how to use ArtiFast Windows to extract Windows Terminal artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Parser Selection Phase, you can select Windows Terminal artifacts:






Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of the Windows terminal artifact in ArtiFast software.


Widows Terminal Artifact

The details you can view include: