Windows Notification History
Overview
Section titled “Overview”Evidence: Windows Notification History
Description: Collect Windows Notification History
Category: Applications
Platform: windows
Short Name: ntfh
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes
Background
Section titled “Background”Windows Action Center stores notification history from applications and system components. These databases contain messages, alerts, and notifications displayed to the user, including timestamps and content.
Data Collected
Section titled “Data Collected”This collector gathers structured data about windows notification history.
Collection Method
Section titled “Collection Method”This collector gathers Appdb.dat and wpndatabase.db files from the Windows Notifications directory containing notification history and push notification data.
Forensic Value
Section titled “Forensic Value”Notification history reveals application activity, received messages, alerts, and system events. This can identify application usage, communication patterns, security warnings, and user interactions with various services.