As Microsoft pulls the plug on Windows 10 support today, October 14, 2025, organizations worldwide face a pivotal shift toward Windows 11.
Yet adoption has lagged, with Kaspersky’s Global Emergency Response Team (GERT) noting in early 2025 that the decade-old Windows 7 appeared almost as frequently in investigations as the newer OS.
With Windows 10’s end-of-life accelerating upgrades, incident responders must adapt to evolving digital footprints.
Kaspersky researchers have released a timely analysis of forensic artifact changes in Windows 11 24H2, offering investigators a roadmap to uncover evidence in this latest iteration.
Windows 11 Forensic Artifacts
At the heart of Windows 11’s innovations is the controversial Recall feature, rolled out broadly in May 2025 for devices with neural processing units (NPUs) on ARM CPUs.
Designed to let users search their activity history via AI-analyzed screenshots taken every few seconds, Recall stores raw JPEG images in %AppData%\Local\CoreAIPlatform.00\UKP{GUID}\ImageStore.
Metadata embedded in Exif tags reveals window boundaries, timestamps, titles, process paths, and even browser URIs, potentially a treasure trove for reconstructing attacker movements.
However, privacy fears persist. Disabled by default in enterprise editions, Recall’s database, primarily the encrypted SQLite file ukg.db, includes tables like App, AppDwellTime, and WindowCapture, detailing app launches, dwell times, and events such as window creations or destructions.
OCR-extracted text from screenshots populates WindowCaptureTextIndex_content, aiding in spotting sensitive data slips despite filters meant to block incognito modes or password fields.
Researchers warn that these safeguards falter, making Recall exploitable by malware to harvest credentials. A registry key under Software\Policies\Microsoft\Windows\WindowsAI\ controls its activation, underscoring the need for investigators to check for unauthorized enabling.
Beyond Recall, standard apps like Notepad now support tabs, persisting states post-termination in %LOCALAPPDATA%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState.
Subfolders TabState and WindowsState hold binary files with unsaved content, paths, hashes, and timestamps, ideal for recovering malicious scripts or logs from threat actors.
A companion tool, notepad_parser, automates parsing these artifacts. NTFS behaviors have shifted too. In $STANDARD_INFORMATION and $FILE_NAME attributes, actions like renaming or moving files now update access timestamps more aggressively than in Windows 10, altering inheritance patterns.
Copying or moving between volumes propagates metadata differently, demanding adjusted timelines in analyses, Kaspersky said.
CategoryWindows 10 BehaviorWindows 11 Behavior (24H2)Forensic ImplicationsNTFS Attributes ($STANDARD_INFORMATION)Access timestamp updates only if system volume <128 GB; rename/move/copy behaviors preserve or inherit metadata selectively (e.g., access unchanged on rename/move within volume).Access timestamp always updates on access/rename; copy inherits original metadata; move (intra/inter-volume) updates access to current time; rename sets access to modification time.Timelines more dynamic; requires recalibrating artifact inheritance for file actions, potentially revealing recent manipulations more clearly.NTFS Attributes ($FILE_NAME)Timestamps/metadata unchanged on rename, intra-volume move via Explorer, or Recycle Bin placement.Inherits access/modify timestamps and metadata from prior $STANDARD_INFORMATION state for these events.Enhanced tracking of file history; useful for correlating moves/deletions but complicates reconstruction if inheritance masks originals.Recall FeatureNot available.Takes periodic screenshots stored as JPEGs in %AppData%\Local\CoreAIPlatform.00\UKP{GUID}\ImageStore; metadata in Exif tags; encrypted SQLite ukg.db with tables (App, WindowCapture, etc.) for events, OCR text, and app dwell times.Goldmine for user/activity reconstruction if enabled (disabled by default in enterprise); exploitable for credential theft despite filters; check registry for activation.Notepad ArtifactsNo tab persistence; basic recent files via registry/MRU.Tab states in %LOCALAPPDATA%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\ (TabState/WindowsState); binary files with content, paths, hashes, timestamps for unsaved/saved tabs.Recovers unsaved malicious scripts/logs; parse with tools like notepad_parser; absent if tab saving disabled.Program Compatibility Assistant (PCA)Basic logging; no dedicated text files noted.New files in C:\Windows\appcompat\pca: PcaAppLaunchDic.txt (launches via Explorer); PcaGeneralDb*.txt (alternating, errors/exits, UTF-16LE).Tracks legacy app runs (e.g., malware); limited to Explorer launches; Unicode paths break ANSI file.Windows Search IndexSingle ESE database: %PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows.edb (version 9180).Three SQLite databases: Windows-gather.db (file paths via ScopeID), Windows.db (metadata in SystemIndex_1_PropertyStore, table #15), Windows-usn.db (limited value); ESE version 9400 if used.Easier path reconstruction/metadata extraction; detect malware files via indexing; convert FILETIME timestamps.Windows TimelineActive feature with ActivitiesCache.db for cross-device activity.Feature removed, but %userprofile%\AppData\Local\ConnectedDevicesPlatform\ActivitiesCache.db persists.Legacy data available on upgrades; no new entries, but useful for historical analysis.Registry HivesBaseline structure with ~fewer keys/values.Over 35,000 added/removed keys/values across hives (e.g., SOFTWARE, SYSTEM); no immediate forensic value identified.Monitor for new keys (e.g., Recall management); ongoing research needed for significance.Event Logs (e.g., ID 4624)Standard logon fields.Adds Remote Credential Guard field in Pro 22H2+.Better authentication telemetry; aids in detecting advanced logons.Other Security/ArtifactsNTLMv1 supported; ReFS limited (no boot); Cortana/IE active; Prefetch/LNK/Amcache/Shellbags unchanged.NTLMv1 discontinued; ReFS bootable with BitLocker; Cortana/IE artifacts remain on upgrades; HVCI/TLS 1.3/DNS over HTTPS default; TPM 2.0 mandatory.Reduces pass-the-hash risks; challenges NTFS-focused tools on ReFS (no $MFT); consistent artifacts ease transitions.
New Traces In Search Tools
The Program Compatibility Assistant (PCA), aiding legacy app runs since Windows Vista, logs executions in C:\Windows\appcompat\pca.
Files like PcaAppLaunchDic.txt track recent launches with UTC timestamps and paths, while PcaGeneralDb0.txt and PcaGeneralDb1.txt alternate for detailed records on errors or exits, though limited to Explorer-launched programs.
Windows Search has migrated from ESE to three SQLite databases under %PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows.
Windows-gather.db indexes files with paths reconstructible via ScopeID linkages, while Windows.db stores metadata. These enable quick malware file detection, with timestamps in FILETIME format convertible via tools like DCode.
Minor updates include ditching NTLMv1 to curb pass-the-hash attacks, removing Timeline artifacts (though databases linger), and expanding ReFS support without $MFT or short names challenging traditional NTFS forensics. Event ID 4624 now flags Remote Credential Guard in logons.
Kaspersky urges triage tools to integrate these artifacts immediately, as Windows 11’s rise promises richer incident reconstructions amid rising threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Kaspersky Details Windows 11 Forensic Artifacts and Changes With Windows 10 for Investigators appeared first on Cyber Security News.
