The Forensic Tool section contains several system analysis tools designed to help experts collect essential evidence faster. Using these features does not require the user’s or administrator’s password. The tools include:
•Timeline: allows reviewing the user’s activities logged by the Windows Timeline. This includes the list of launched apps and past activities laid out in the convenient timeline view.
•Recent files and folders: lists recently accessed files and folders.
•Installed apps: lists applications installed in the system.
To access the Forensic Tools section, click the “Forensic Tools” shortcut at the bottom of the main window.
The following forensic tools are available: Installed Apps, Timeline, and Recent files and folders.
Installed apps
The Installed apps tool displays the list of applications installed in the system being investigated:
When using this tool, you can choose between listing regular applications of installation packages. This is how the list of regular applications looks like:
The list of installation packages corresponds to the list of apps displayed in the Windows Control Panel (add/remove programs). This is how it looks like:
You can export the list of installed applications into a text file.
Timeline
Windows Timeline is a feature that first appeared in the Windows 10 April 2018 Update. The feature enhances Task View, enabling a glance into the past by displaying the user’s historical activities. The Timeline contains timestamped information about the user’s launched applications. Microsoft used to synchronize the Timeline with the user’s Microsoft Account. This is no longer the case; however, the corresponding low-level data is still collected and stored locally on all Windows 10 and Windows 11 systems. This information can be extracted and analyzed with Elcomsoft System Recovery. By analyzing the Timeline data, experts can access to timestamped information about the app usage.
Timeline data is collected individually per user. When analyzing the timeline, you will have to specify the Windows installation path as well as the path to the user profile. The user’s password is not required.
The process can be repeated for every user account registered on the computer.
Recent files and folders
Just like the Timeline, Recent files and folders is a user-specific feature, requiring the path to the user profile.
By default, the tool only returns the list of recently accessed files. You can check the “Show recent folders” box to display the list of recently accessed folders.
The result will be sorted by last access time. You can change the order by clicking on the corresponding column or export the list of recent files and folders for future analysis.
