Windows notifications were first introduced on Windows 8 and continued with Windows 10. The feature provides
real-time notifications of a variety of events such as email alerts, apps updates, security alerts,
reminders, and other app specific notifications. Windows notifications are usually displayed at the bottom
right side of the screen and can be viewed through the “Action Center” icon.
Notifications on Windows can hold useful data. Through these notifications we can retrieve valuable details such as the text or content of the notification that was displayed to the user, the date and time when the notification was received, notification expiration date, and other details. This feature enables investigators to track and recover events on the user device even if the source has been deleted.
On Windows 10 (Anniversary update onwards), notifications are stored at:
C:\Users\$username\AppData\Local\Microsoft\Windows\Notifications
Microsoft also stores information about the notifications in NTUSER.DAT registry hive at:
Software\Microsoft\Windows\CurrentVersion\PushNotifications
The structure of the file containing Windows Notifications artifacts is an SQLite database. The file contains multiple tables recording various notifications and each user account has its own database instance.
This section will discuss how to use ArtiFast Windows to analyze Windows 10 Notifications on Windows
machines and what kind of digital forensic insights we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifacts Selection
phase, you can select Windows 10 Notifications Artifacts:
Artifast can analyze Windows 10 Notifications, Thumbnails, Handler, Handler Settings and Backed Up Info. For
demonstration purposes, all the artifacts have been chosen; however, you have the option to select one or
more artifacts.
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of the Windows 10 Notifications Artifacts in ArtiFast software.
Windows 10 Notifications Artifact
This artifact contains information related to
user notifications. The details you can view include:
Windows 10 Notifications BackedUp Info Artifact
This artifact contains backed up
information about the notifications. The details you can view include:
Windows 10 Notifications Handler Artifact
This artifact contains information
related to the notification handler. The details you can view include:
Windows 10 Notifications Handler Settings Artifact
This artifact contains handler
settings. The details you can view include:
Windows 10 Notifications Thumbnails Artifact
This artifact contains information
related to notifications thumbnails. The details you can view include:
For more information or suggestions please contact: asmaa.elkhatib@forensafe.com