Skip to content
AIR Knowledge Base

Search History

Overview

Section titled “Overview”

Evidence: Search History
Description: Collect Windows Start Menu Search History
Category: Applications
Platform: windows
Short Name: srch
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes

Background

Section titled “Background”

Windows Start Menu and search bar maintain history of user searches, including files searched for, applications launched, and web queries. This data is stored in the ConnectedSearch directory.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about search history.

Collection Method

Section titled “Collection Method”

This collector gathers files from the Windows ConnectedSearch History directory containing search queries and interaction history.

Forensic Value

Section titled “Forensic Value”

Search history reveals user intent, files accessed, applications used, and information sought. This can identify attempts to find specific files, delete evidence, or search for security tools and anti-forensics software.