Windows Notification History

Overview

Evidence: Windows Notification History Description: Collect Windows Notification History Category: Applications Platform: windows Short Name: ntfh Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

Windows Action Center stores notification history from applications and system components. These databases contain messages, alerts, and notifications displayed to the user, including timestamps and content.

Data Collected

This collector gathers structured data about windows notification history.

Collection Method

This collector gathers Appdb.dat and wpndatabase.db files from the Windows Notifications directory containing notification history and push notification data.

Forensic Value

Notification history reveals application activity, received messages, alerts, and system events. This can identify application usage, communication patterns, security warnings, and user interactions with various services.