Evidence: Microsoft Photos
Description: Collect Microsoft Photos History Database
Category: Applications
Platform: windows
Short Name: mph
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes
Background
Microsoft Photos app stores viewing history, metadata, and organizational information in SQLite databases. These databases track which photos were viewed, when, and any edits or organizational changes made within the app.
Data Collected
This collector gathers structured data about microsoft photos.
Collection Method
This collector gathers MediaDb SQLite database files from Microsoft Photos app package directories in user AppData locations.
Forensic Value
Photos history databases reveal which images were accessed, providing insights into user activity and interests. This can identify viewed evidence, exfiltrated images, or content related to investigations.
