DiagAnalyzer: User behavior analysis and visualization using Windows Diagnostics logs

Sungha Park, Sangjin Lee

Research output: Contribution to journalArticlepeer-review

1 Citation (Scopus)


Windows Diagnostics, which is used by default in Windows 10 and Windows 11, records basic device information as well as various detailed user activities of those who use Windows. Previously, there have been several preceding studies that attempted to apply diagnostics information to digital forensics analysis, but there have been no practical methods or publicly available tools to analyze data in relation to user behavior. Therefore, this paper analyzed how three representative activities (attaching and detaching USB storage devices, web browser activities, and wireless network activities) are recorded in Window Diagnostics. Furthermore, based on the analysis results, we developed DiagAnalyzer, which automatically analyzes the diagnostics event log and visualizes the user's behavior. Through the methodology and tool of this paper, the application of Windows Diagnostics deserves further attention as an important artifact in digital forensics investigation for Windows in the future.

Original languageEnglish
Article number301450
JournalForensic Science International: Digital Investigation
Publication statusPublished - 2022 Sept

Bibliographical note

Funding Information:
This work was supported by a Korea University Grant.

Publisher Copyright:
© 2022 The Author(s)


  • Eventtranscript.db
  • Windows 10
  • Windows 11
  • Windows Diagnostics
  • Windows forensics

ASJC Scopus subject areas

  • Pathology and Forensic Medicine
  • Information Systems
  • Computer Science Applications
  • Medical Laboratory Technology
  • Law


Dive into the research topics of 'DiagAnalyzer: User behavior analysis and visualization using Windows Diagnostics logs'. Together they form a unique fingerprint.

Cite this