Windows Diagnostics, which is used by default in Windows 10 and Windows 11, records basic device information as well as various detailed user activities of those who use Windows. Previously, there have been several preceding studies that attempted to apply diagnostics information to digital forensics analysis, but there have been no practical methods or publicly available tools to analyze data in relation to user behavior. Therefore, this paper analyzed how three representative activities (attaching and detaching USB storage devices, web browser activities, and wireless network activities) are recorded in Window Diagnostics. Furthermore, based on the analysis results, we developed DiagAnalyzer, which automatically analyzes the diagnostics event log and visualizes the user's behavior. Through the methodology and tool of this paper, the application of Windows Diagnostics deserves further attention as an important artifact in digital forensics investigation for Windows in the future.
|Forensic Science International: Digital Investigation
|Published - 2022 Sept
Bibliographical noteFunding Information:
This work was supported by a Korea University Grant.
© 2022 The Author(s)
- Windows 10
- Windows 11
- Windows Diagnostics
- Windows forensics
ASJC Scopus subject areas
- Pathology and Forensic Medicine
- Information Systems
- Computer Science Applications
- Medical Laboratory Technology