Notepad++ Sessions

Overview

Evidence: Notepad++ Sessions
Description: Collect Notepad++ Search History & Sessions
Category: Applications
Platform: windows
Short Name: ntpd
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes

Background

Notepad++ stores session files (session.xml) with open files and tabs, configuration settings (config.xml) with search history and preferences, and backup files of unsaved documents. This data reveals editing activity and file access.

Data Collected

This collector gathers structured data about notepad++ sessions.

Collection Method

This collector gathers Notepad++ session XML files, configuration XML files, and backup directories from both Roaming and legacy Application Data directories.

Forensic Value

Notepad++ artifacts reveal edited files, search queries, recently accessed documents, and unsaved content in backups. This is critical for identifying viewed/edited code, scripts, configuration files, logs, and documents that may contain evidence or reveal attacker activities.