Window Screenshots
Overview
Section titled “Overview”Evidence: Window Screenshots
Description: Capture Screenshot of Application Windows
Category:
Platform: windows
Short Name: scr
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”Screenshots capture the visual state of the desktop at the time of acquisition. This can provide valuable context about what the user was doing, what applications were running, and what content was visible on screen.
Windows maintains multiple desktop windows simultaneously, and each window can be captured individually. This collector enumerates all visible windows and captures their content as PNG images.
Data Collected
Section titled “Data Collected”This collector gathers structured data about window screenshots.
Window Screenshots Data
Section titled “Window Screenshots Data”| Field | Description | Example |
|---|---|---|
FilePath | Path to screenshot image | Screenshots/p1234-t5678-w90.png |
ProcessID | Process ID owning the window | 1234 |
ThreadID | Thread ID that created the window | 5678 |
Handle | Window handle | 0x12345678 |
Collection Method
Section titled “Collection Method”This collector:
- Opens the input desktop
- Enumerates all desktop windows
- Filters out invisible or transparent windows
- Captures each visible window as a PNG image
- Names files with pattern:
p{PID}-t{TID}-w{HWND}.png
Forensic Value
Section titled “Forensic Value”Screenshots provide immediate visual context for investigations, revealing user activity, open applications, visible documents, browser tabs, chat conversations, and potential evidence of data exfiltration or unauthorized access. This evidence is particularly valuable for insider threat investigations, data breach response, and documenting user actions at the time of acquisition.