Blog >> Windows Photos

Investigating Windows Photos

04/06/2021 Friday

Windows Photos is an image organizer, graphic editor, and video editor by Microsoft. In Windows 8, it was originally released as a better alternative for Windows Photo Viewer. It has integrated Microsoft Sway where selected photographs can also be used as a source for generating a Sway project. In Windows Photos, users can also share images by uploading them to OneDrive, Facebook, Twitter, Instagram, and GroupMe.

Digital Forensics Value of Windows Photos Artifacts

Windows Photos artifacts provide information and data about files, images, and graphics that a user created, edited, and deleted. Tracking such information is critical during the digital forensic analysis process and helps us understand the types of artifacts that are likely to remain for digital forensics investigators.

Location of Windows Photos Artifacts

In Windows 10 Windows Photos artifacts are located at:

C:\Users\%username%\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite

Structure of Windows Photos Artifacts

Windows Photos artifacts are found within the MediaDb.v1.sqlite database file. This Database file contains 100+ tables, however, only a subset of these tables contains forensically valuable information.

Analyzing Windows Photos Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to analyze Windows Photos artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select Windows Photos artifacts:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Windows Photos artifacts in ArtiFast software.

Widows Photos Items Artifact

• Item Duration - Item duration.
• Item File Size - Item file size.
• Item Height - Item height.
• Item Width - Item width.
• Folder Display Name - Folder display name.
• Folder Path - Folder path.
• Item File Extension - Item file extension.
• Item File Name - Item file name.
• Item Frame Rate - Item frame rate.
• Source UserName - Source username.
• Item Date Created - The date and time an item was created.
• Item Date Modified - The date and time an item was modified.
• Item Date Taken - The date and time an item was taken.

Widows Photos Collection Artifact

• Item Filename - File name(s) of the items.
• Item File Extension - Extension of the file.
• Item File Size - File size.
• Item Date Taken - The date and time an item was taken (in LDAP Format).
• Item Width - Item (Picture) width in pixels.
• Item Height - Item (Picture) height in pixels.
• Item Date Created - The date and time an item was created (in LDAP Format).
• Item Date Modified - The date and time an item was Modified (in LDAP Format).
• Application Name Id - The application name id.
• Application Name Text - The application name text.
• Camera Manufacturer Id - Camera manufacturer unique Id.
• Camera Manufacturer Text - Camera manufacturer name.
• Camera Model Id - Camera manufacturer unique Id.
• Camera Model Text - Camera model name.
• Source Id - Source (Account) unique Id.
• Source Username - Source (Account) username.
• Source User Id - Source (Account) specific user Id.
• Location Country Id - Location country unique Id.
• Location Country Name - Location country name.
• Location Region Id - Location region unique Id.
• Location Region Name - Location region name.
• OCR Item Id - Unique OCR Item Id.
• OCR Item Text View Text - OCR text of specific photo.

Windows Photos Album Artifact

• Album Name - Title of the album.
• Album Date Created - The date and time an album was created (in LDAP Format).
• Album Date Updated - The date and time an album was updated (in LDAP Format).
• Album Date Viewed - The date and time an album was viewed (in LDAP Format).

Widows Photos People Artifact

• Person Id - Person Id number.
• Person Name - Name of the person.
• Person Item Count - Indicates the total number of the items, pictures, related to that person.

Widows Photos Folders Artifact

• Folder Id - Unique ID of the folder.
• Folder Source - Source (Account) of the folder.
• Folder Path - The folder path.
• Folder Display Name - Folder name.
• Folder Date Created - The date and time the folder was created (in LDAP Format).
• Folder Date Modified - The date and time the folder was modified (in LDAP Format).