Forensic Artifacts for User Windows History Activity

 

One of the goals of a forensic investigator is to find user activity artifacts. There are dozens of ways to check for them, but some methods are outdated or time-consuming. After examining Windows files, I discovered the History folder, which provides a record of user activities over the past weeks. The artifacts include files that may have been created or viewed by the user. The activities show files with names and extensions that may provide important clues for the forensic investigator. You can see the screenshot below :

In addition, you can check the activities by specific days of the week when this device was used and the user performed various actions. You can see the screenshot below:

As a forensic investigator, you can find the path to the history activity on a seized computer device at :

Artifacts Path : C:\Users<User_Name>\AppData\Local\Microsoft\Windows\History