A Digital Forensic View of Windows 10 Notifications

Domingues, Patricio; Andrade, Luís; Frade, Miguel

http://hdl.handle.net/10400.8/6587

Use this identifier to reference this record.

Name:	Description:	Size:	Format:
WindowsNotifications---Published.pdf		924.32 KB	Adobe PDF	Download

Send Feedback

Authors

Domingues, Patricio

Andrade, Luís

Frade, Miguel

Abstract(s)

Windows Push Notifications (WPN) is a relevant part of Windows 10 interaction with the user. It is comprised of badges, tiles and toasts. Important and meaningful data can be conveyed by notifications, namely by so-called toasts that can popup with information regarding a new incoming email or a recent message from a social network. In this paper, we analyze the Windows 10 Notification systems from a digital forensic perspective, focusing on the main forensic artifacts conveyed by WPN. We also briefly analyze Windows 11 first release’s WPN system, observing that internal data structures are practically identical to Windows 10. We provide an open source Python 3 command line application to parse and extract data from the Windows Push Notification SQLite3 database, and a Jython module that allows the well-known Autopsy digital forensic software to interact with the application and thus to also parse and process Windows Push Notifications forensic artifacts. From our study, we observe that forensic data provided by WPN are scarce, although they still need to be considered, namely if traditional Windows forensic artifacts are not available. Furthermore, toasts are clearly WPN’s most relevant source of forensic data.

Keywords

Digital forensics Windows 10 Windows 11 Push notifications Sqlite3

URI

http://hdl.handle.net/10400.8/6587

Citation

Domingues, P.; Andrade, L.; Frade, M. A Digital Forensic View of Windows 10 Notifications. Forensic. Sci. 2022, 2, 88–106. https://doi.org/ 10.3390/forensicsci2010007