A Digital Forensic View of Windows 10 Notifications

Detalhes bibliográficos
Autor(a) principal: Domingues, Patricio
Data de Publicação: 2022
Outros Autores: Andrade, Luís, Frade, Miguel
Tipo de documento: Artigo
Idioma: eng
Título da fonte: Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
Texto Completo: http://hdl.handle.net/10400.8/6587
Resumo: Windows Push Notifications (WPN) is a relevant part of Windows 10 interaction with the user. It is comprised of badges, tiles and toasts. Important and meaningful data can be conveyed by notifications, namely by so-called toasts that can popup with information regarding a new incoming email or a recent message from a social network. In this paper, we analyze the Windows 10 Notification systems from a digital forensic perspective, focusing on the main forensic artifacts conveyed by WPN. We also briefly analyze Windows 11 first release’s WPN system, observing that internal data structures are practically identical to Windows 10. We provide an open source Python 3 command line application to parse and extract data from the Windows Push Notification SQLite3 database, and a Jython module that allows the well-known Autopsy digital forensic software to interact with the application and thus to also parse and process Windows Push Notifications forensic artifacts. From our study, we observe that forensic data provided by WPN are scarce, although they still need to be considered, namely if traditional Windows forensic artifacts are not available. Furthermore, toasts are clearly WPN’s most relevant source of forensic data.
id RCAP_62d1fc9256b52d2b79173f08afa8b17f
oai_identifier_str oai:iconline.ipleiria.pt:10400.8/6587
network_acronym_str RCAP
network_name_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository_id_str 7160
spelling A Digital Forensic View of Windows 10 NotificationsDigital forensicsWindows 10Windows 11Push notificationsSqlite3Windows Push Notifications (WPN) is a relevant part of Windows 10 interaction with the user. It is comprised of badges, tiles and toasts. Important and meaningful data can be conveyed by notifications, namely by so-called toasts that can popup with information regarding a new incoming email or a recent message from a social network. In this paper, we analyze the Windows 10 Notification systems from a digital forensic perspective, focusing on the main forensic artifacts conveyed by WPN. We also briefly analyze Windows 11 first release’s WPN system, observing that internal data structures are practically identical to Windows 10. We provide an open source Python 3 command line application to parse and extract data from the Windows Push Notification SQLite3 database, and a Jython module that allows the well-known Autopsy digital forensic software to interact with the application and thus to also parse and process Windows Push Notifications forensic artifacts. From our study, we observe that forensic data provided by WPN are scarce, although they still need to be considered, namely if traditional Windows forensic artifacts are not available. Furthermore, toasts are clearly WPN’s most relevant source of forensic data.MDPIIC-OnlineDomingues, PatricioAndrade, LuísFrade, Miguel2022-02-02T10:09:04Z2022-01-312022-01-31T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/articleapplication/pdfhttp://hdl.handle.net/10400.8/6587engDomingues, P.; Andrade, L.; Frade, M. A Digital Forensic View of Windows 10 Notifications. Forensic. Sci. 2022, 2, 88–106. https://doi.org/ 10.3390/forensicsci2010007https://doi.org/ 10.3390/forensicsci2010007info:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-01-17T15:53:19Zoai:iconline.ipleiria.pt:10400.8/6587Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-20T01:49:44.284391Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse
dc.title.none.fl_str_mv A Digital Forensic View of Windows 10 Notifications
title A Digital Forensic View of Windows 10 Notifications
spellingShingle A Digital Forensic View of Windows 10 Notifications
Domingues, Patricio
Digital forensics
Windows 10
Windows 11
Push notifications
Sqlite3
title_short A Digital Forensic View of Windows 10 Notifications
title_full A Digital Forensic View of Windows 10 Notifications
title_fullStr A Digital Forensic View of Windows 10 Notifications
title_full_unstemmed A Digital Forensic View of Windows 10 Notifications
title_sort A Digital Forensic View of Windows 10 Notifications
author Domingues, Patricio
author_facet Domingues, Patricio
Andrade, Luís
Frade, Miguel
author_role author
author2 Andrade, Luís
Frade, Miguel
author2_role author
author
dc.contributor.none.fl_str_mv IC-Online
dc.contributor.author.fl_str_mv Domingues, Patricio
Andrade, Luís
Frade, Miguel
dc.subject.por.fl_str_mv Digital forensics
Windows 10
Windows 11
Push notifications
Sqlite3
topic Digital forensics
Windows 10
Windows 11
Push notifications
Sqlite3
description Windows Push Notifications (WPN) is a relevant part of Windows 10 interaction with the user. It is comprised of badges, tiles and toasts. Important and meaningful data can be conveyed by notifications, namely by so-called toasts that can popup with information regarding a new incoming email or a recent message from a social network. In this paper, we analyze the Windows 10 Notification systems from a digital forensic perspective, focusing on the main forensic artifacts conveyed by WPN. We also briefly analyze Windows 11 first release’s WPN system, observing that internal data structures are practically identical to Windows 10. We provide an open source Python 3 command line application to parse and extract data from the Windows Push Notification SQLite3 database, and a Jython module that allows the well-known Autopsy digital forensic software to interact with the application and thus to also parse and process Windows Push Notifications forensic artifacts. From our study, we observe that forensic data provided by WPN are scarce, although they still need to be considered, namely if traditional Windows forensic artifacts are not available. Furthermore, toasts are clearly WPN’s most relevant source of forensic data.
publishDate 2022
dc.date.none.fl_str_mv 2022-02-02T10:09:04Z
2022-01-31
2022-01-31T00:00:00Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/article
format article
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://hdl.handle.net/10400.8/6587
url http://hdl.handle.net/10400.8/6587
dc.language.iso.fl_str_mv eng
language eng
dc.relation.none.fl_str_mv Domingues, P.; Andrade, L.; Frade, M. A Digital Forensic View of Windows 10 Notifications. Forensic. Sci. 2022, 2, 88–106. https://doi.org/ 10.3390/forensicsci2010007
https://doi.org/ 10.3390/forensicsci2010007
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.publisher.none.fl_str_mv MDPI
publisher.none.fl_str_mv MDPI
dc.source.none.fl_str_mv reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron:RCAAP
instname_str Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron_str RCAAP
institution RCAAP
reponame_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
collection Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository.name.fl_str_mv Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
repository.mail.fl_str_mv
_version_ 1799136989992189952

Registros relacionados