Investigating Windows Calendar

08/10/2021 Friday

Calendar is a built-in Windows application developed by Microsoft. Calendar helps users in managing their schedules, meetings, reminders, appointments, and different types of events. It also enables the synchronization of calendars using Microsoft Exchange Server, Outlook, Apple's iCloud calendar, and Google Calendar. It supports the popular iCalendar format.

Digital Forensics Value of Windows Calendars

Calendars' importance relies on their function, as they allow us to organize our daily life commitments thus creating a timeline of events that could aid forensics investigators in gaining a visual insight into someone’s life’s activities, habits, plans, and availability.

Location of Windows Calendars Artifact

Windows Calendar artifacts are stored in the following location:


Structure of Windows Calendar Artifact

Windows Calendar store its data in ICS (Internet Calendar Scheduling) file, also called Calendar Events (ICS), or iCalendar File. ICS files are saved in a universal calendar format used by several email and calendar programs including Outlook, Google Calendar, and Apple Calendar. Calendar files are saved in a plain text format that contains information such as the title, summary, start time, and end time for the calendar event. The Calendar format also supports event updates and cancellations.

An iCalendar file structure consists of multiple sections starting with "BEGIN:" and ending with "END:" The global section that is holding all the other sections is called "VCALENDAR" sections. Then, the other sections include "VEVENT" for events, "VTODO" for to-do items, "VJOURNAL" for journal entries, and "VTIMEZONE" for time zone information. Moreover, multiple sections of the same type can be repeated. For example, multiple "VEVENT" sections can occur in an iCalendar file to describe multiple events.

Analyzing Windows Calendar Artifact with ArtiFast Windows

This section will discuss how to use ArtiFast to extract Windows Calendar artifacts from Windows machines and what kind of digital forensics insight we can gain from the platform.

After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select Windows Calendar Artifact:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of Windows Calendar artifact in ArtiFast Windows.

Windows Calendar Events (ICS) Artifact

This artifact contains information about events and appointments that are recovered from calendar .ics files such as: