Microsoft Photos

Overview

Evidence: Microsoft Photos Description: Collect Microsoft Photos History Database Category: Applications Platform: windows Short Name: mph Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

Microsoft Photos app stores viewing history, metadata, and organizational information in SQLite databases. These databases track which photos were viewed, when, and any edits or organizational changes made within the app.

Data Collected

This collector gathers structured data about microsoft photos.

Collection Method

This collector gathers MediaDb SQLite database files from Microsoft Photos app package directories in user AppData locations.

Forensic Value

Photos history databases reveal which images were accessed, providing insights into user activity and interests. This can identify viewed evidence, exfiltrated images, or content related to investigations.