Miscellaneous Windows 10 Forensic Artifacts

The other night I started looking through my PC for potential forensic artifacts for applications that I use. I was focusing on video game applications but along the way I found some other interesting ones. Below I’ll show the artifacts for each application and explain how it could help in investigations.


Visual Studio Code

For those who don’t know the difference between Microsoft’s Visual Studio Code and the full Microsoft Visual Studio IDE, Code is a free version essentially. It is still a source code editor where you can write, compile, and debug programs. The issue is that it’s watered down and has less functionality than the full paid version of Visual Studio.

If an investigation is taking place on a suspect and you’d like to see what programs they were working on developing, you can see that info at the following artifact:

AppData\Code\User\workspaceStorage\<ID>\state.vscdb

We can look at the last entries of the database and we’re able to see the historical data for the projects that they were working on.

As you can see there’s a project called “malware.cpp” in a folder called “Exploit Dev” as well as a “pyserver.py” in a folder called “Bots.” This could be the start of a botnet related project. It gives us a reason to examine those files a little further. If being suspected in a cybersecurity related attack this could be used to tie a project file to a piece of malware.


Notepad++

Notepad++ is basically a beefier version of Notepad. Though I’m sure everyone reading this already knows what Notepad++ is so I’ll just get right to the artifacts.

When you use Notepad++, it saves your session. It saves previously opened files in tabs for you to quickly jump back to instead of finding that file again. It does this by saving that information in an XML file.

AppData\Roaming\Notepad++\session.xml

This XML file will give us the programming language that file uses, the timestamp of the last time the file was modified, the file location and name of the file. Much like the Visual Studio Code artifact, this helps to see what someone was potentially working on recently.

Notepad++ also has a lovely feature where it takes a backup of a new file you’ve created in Notepad++ that you haven’t saved yet. This is a feature that’s helpful if you were jotting down notes or ideas and forget to save them for later.

AppData\Roaming\Notepad++\backup\
Jot down plans without saving
Notepad++ automatically backs it up
We can see exactly what was written by opening that backup file

We can see that I never saved this as a file on my PC. I just opened Notepad++ and everything I typed was automatically backed up in a file. It also includes the date and time in the backup filename that this new document was first created. The last modified timestamp is changed like any normal file while the filename stays the same.


Ledger Wallet

The Ledger Wallet is a popular hardware wallet for cryptocurrencies. Cryptocurrencies have become very popular with criminals due to their anonymous nature. However, Ledger leaves a nice little database behind when it’s connected and accessed by a computer.

AppData\Roaming\Ledger Live\sqlite\database_v2_ledgerlive

For obvious reasons, I will not be including a screenshot of my database file. But it will include wallets and currency information for that Ledger including potential blocks and transactions.


filezilla

FileZilla is a popular FTP application. It’s also nice enough to save recent FTP connection information as well as any queued transactions.

AppData\Roaming\FileZilla\queue.sqlite3
AppData\Roaming\FileZilla\recentservers.xml
Database showing current jobs
Recent server connections

The recentservers.xml file also includes the username used in the transaction. These artifacts could help in a data exfiltration investigation.


That’s all for now. There were a few other potential artifacts I was able to find but I feel like they’re either even more situational than the ones above already are. For example, for every PC gaming platform, there’s usually a file or database that contains the username, name, and email that the owner of the PC uses to login with. This could be able to confirm the owner of the PC or to correlate chat logs with an individual.

In the next article, I’ll take these same or similar applications and take a look at them in macOS.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s