Blogs >> Windows 10 Notifications

Investigating Windows 10 Notifications

06/07/2021 Tuesday

Windows notifications were first introduced on Windows 8 and continued with Windows 10. The feature provides real-time notifications of a variety of events such as email alerts, apps updates, security alerts, reminders, and other app specific notifications. Windows notifications are usually displayed at the bottom right side of the screen and can be viewed through the “Action Center” icon.


Digital Forensics Value of Windows 10 Notifications Artifacts


Notifications on Windows can hold useful data. Through these notifications we can retrieve valuable details such as the text or content of the notification that was displayed to the user, the date and time when the notification was received, notification expiration date, and other details. This feature enables investigators to track and recover events on the user device even if the source has been deleted.


Location of Windows 10 Notifications Artifacts


On Windows 10 (Anniversary update onwards), notifications are stored in the following location: C:\Users\[useracct]\AppData\Local\Microsoft\Windows\Notifications
Microsoft also stores information about notifications in the following registry key: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\PushNotifications


Structure of Windows 10 Notifications Artifacts


The structure of the file containing Windows Notifications artifacts is an SQLite database. The file contains multiple tables recording various notifications and each user account has its own database instance.


Analyzing Windows 10 Notifications Artifacts with ArtiFast Windows


This section will discuss how to use ArtiFast Windows to analyze Windows 10 Notifications on Windows machines and what kind of digital forensic insights we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifacts Parser Selection Phase, you can select Windows 10 Notifications Artifacts:




Artifast can analyze Windows 10 Notifications, Thumbnails, Handler, Handler Settings and Backed Up Info. For demonstration purposes, all the artifacts have been chosen; however, you have the option to select one or more artifacts.



Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of the Windows 10 Notifications Artifacts in ArtiFast software.


Windows 10 Notifications Artifact

This artifact contains information related to user notifications. The details you can view include:


Windows 10 Notifications BackedUp Info Artifact

This artifact contains backed up information about the notifications. The details you can view include:


Windows 10 Notifications Handler Artifact

This artifact contains information related to the notification handler. The details you can view include:


Windows 10 Notifications Handler Settings Artifact

This artifact contains handler settings. The details you can view include:


Windows 10 Notifications Thumbnails Artifact

This artifact contains information related to notifications thumbnails. The details you can view include: