Modern operating systems come equipped with software designed to improve user experience and offer a user-friendly environment while maintaining seamless integration and constant operation times, even when tackling demanding tasks. Applications generate extensive operation logs to aid the diagnostics and maintenance processes. Modern software often relies on the mechanism for cashing and storing additional data that can later be used to access requested resources faster, improving performance. These behaviors often lead to the creation of software artifacts in the form of logs, temporary files, and databases. These artifacts become crucial sources of information in forensic investigations. This paper analyses a set of artifacts created by the Microsoft Photos application that is the default photo viewer and editor in the Windows 10 operating system. Conducted research indicates that a large amount of potentially useful information is created during normal software operation. These fragments can be located and analyzed in files located in system directories. Further exploration reveals a set of valid digital forensic assets. These consist of user action logs, facial recognition identification results, optical character recognition strings acquired from images, metadata, information on devices used to capture the photo, and other information sources.
L. Jovanović, S. Adamović, “Digital Forensics Artifacts of the Microsoft Photos Application in Windows 10,” in Sinteza 2022 - International Scientific Conference on Information Technology and Data Related Research, Belgrade, Singidunum University, Serbia, 2022, pp. 427-434. doi:10.15308/Sinteza-2022-427-434
Jovanović, L., Adamović, S. (2022). Digital Forensics Artifacts of the Microsoft Photos Application in Windows 10. Paper presented at Sinteza 2022 - International Scientific Conference on Information Technology and Data Related Research. doi:10.15308/Sinteza-2022-427-434