{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,27]],"date-time":"2026-01-27T09:56:56Z","timestamp":1769507816576,"version":"3.49.0"},"reference-count":26,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2022,1,31]],"date-time":"2022-01-31T00:00:00Z","timestamp":1643587200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100001871","name":"Funda\u00e7\u00e3o para a Ci\u00eancia e Tecnologia","doi-asserted-by":"publisher","award":["UIDB\/CEC\/4524\/2020"],"award-info":[{"award-number":["UIDB\/CEC\/4524\/2020"]}],"id":[{"id":"10.13039\/501100001871","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001871","name":"Funda\u00e7\u00e3o para a Ci\u00eancia e Tecnologia","doi-asserted-by":"publisher","award":["UIDB\/EEA\/50008\/2020"],"award-info":[{"award-number":["UIDB\/EEA\/50008\/2020"]}],"id":[{"id":"10.13039\/501100001871","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Forensic Sciences"],"abstract":"<jats:p>Windows Push Notifications (WPN) is a relevant part of Windows 10 interaction with the user. It is comprised of badges, tiles and toasts. Important and meaningful data can be conveyed by notifications, namely by so-called toasts that can popup with information regarding a new incoming email or a recent message from a social network. In this paper, we analyze the Windows 10 Notification systems from a digital forensic perspective, focusing on the main forensic artifacts conveyed by WPN. We also briefly analyze Windows 11 first release\u2019s WPN system, observing that internal data structures are practically identical to Windows 10. We provide an open source Python 3 command line application to parse and extract data from the Windows Push Notification SQLite3 database, and a Jython module that allows the well-known Autopsy digital forensic software to interact with the application and thus to also parse and process Windows Push Notifications forensic artifacts. From our study, we observe that forensic data provided by WPN are scarce, although they still need to be considered, namely if traditional Windows forensic artifacts are not available. Furthermore, toasts are clearly WPN\u2019s most relevant source of forensic data.<\/jats:p>","DOI":"10.3390\/forensicsci2010007","type":"journal-article","created":{"date-parts":[[2022,2,1]],"date-time":"2022-02-01T09:59:21Z","timestamp":1643709561000},"page":"88-106","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["A Digital Forensic View of Windows 10 Notifications"],"prefix":"10.3390","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6207-6292","authenticated-orcid":false,"given":"Patr\u00edcio","family":"Domingues","sequence":"first","affiliation":[{"name":"Instituto de Telecomunica\u00e7\u00f5es, CIIC, ESTG, Polytechnic of Leiria, Morro do Lena\u2013Alto do Vieiro, 2411-901 Leiria, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9079-6679","authenticated-orcid":false,"given":"Lu\u00eds","family":"Andrade","sequence":"additional","affiliation":[{"name":"ESTG, Polytechnic of Leiria, Morro do Lena\u2013Alto do Vieiro, 2411-901 Leiria, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4405-7696","authenticated-orcid":false,"given":"Miguel","family":"Frade","sequence":"additional","affiliation":[{"name":"CIIC, ESTG, Polytechnic of Leiria, Morro do Lena\u2013Alto do Vieiro, 2411-901 Leiria, Portugal"}]}],"member":"1968","published-online":{"date-parts":[[2022,1,31]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"326","DOI":"10.1504\/IJESDF.2017.087394","article-title":"An investigation into the forensic implications of the Windows 10 operating system: Recoverable artefacts and significant changes from Windows 8.1","volume":"9","author":"Hintea","year":"2017","journal-title":"Int. J. Electron. Secur. Digit. Forensics"},{"key":"ref_2","first-page":"301177","article-title":"Microsoft\u2019s Your Phone environment from a digital forensic perspective","volume":"38","author":"Domingues","year":"2021","journal-title":"Forensic Sci. Int. Digit. Investig."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Rui, H., ZhiGang, J., and BaoLiang, W. (2013, January 1\u20133). Comparison of Windows Phone 8 and Windows 8. Proceedings of the 2013 6th International Conference on Intelligent Networks and Intelligent Systems (ICINIS), Shenyang, China.","DOI":"10.1109\/ICINIS.2013.21"},{"key":"ref_4","unstructured":"Microsoft (2021, November 27). Windows Developer\u2014Toast Content. Available online: https:\/\/docs.microsoft.com\/en-us\/windows\/uwp\/design\/shell\/tiles-and-notifications\/adaptive-interactive-toasts\/."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"S66","DOI":"10.1016\/j.diin.2016.04.006","article-title":"Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy","volume":"18","author":"Conlan","year":"2016","journal-title":"Digit. Investig."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"AlHarbi, R., AlZahrani, A., and Bhat, W.A. (2021). Forensic analysis of anti-forensic file-wiping tools on Windows. J. Forensic Sci., 66.","DOI":"10.1111\/1556-4029.14750"},{"key":"ref_7","unstructured":"Skulkin, O., and de Courcier, S. (2017). Windows Forensics Cookbook, Packt Publishing."},{"key":"ref_8","unstructured":"Khatri, Y. (2021, December 01). Parsing the Windows 10 Notification Database. Available online: http:\/\/www.swiftforensics.com\/2016\/06\/prasing-windows-10-notification-database.html."},{"key":"ref_9","unstructured":"Maloney, B. (2021, December 01). Windows 10 Notification WAL Database. Available online: https:\/\/malwaremaloney.blogspot.com\/2018\/08\/windows-10-notification-wal-database.html."},{"key":"ref_10","unstructured":"Bilogrevic, I., Engedy, B., Porter, J.L., Taft, N., Hasanbega, K., Paseltiner, A., Lee, H.K., Jung, E., Watkins, M., and McLachlan, P. (2021, January 11\u201313). \u201cShhh...be quiet!\u201d Reducing the Unwanted Interruptions of Notification Permission Prompts on Chrome. Proceedings of the 30th USENIX Security Symposium (USENIX Security 21), Virtual."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"180","DOI":"10.1016\/j.diin.2019.04.001","article-title":"Ten years of critical review on database forensics research","volume":"29","author":"Chopade","year":"2019","journal-title":"Digit. Investig."},{"key":"ref_12","unstructured":"DeGrazia, M. (2021, November 08). SQLite-Deleted-Records-Parser: Recovering Deleted Entries in SQLite Database. Available online: https:\/\/github.com\/mdegrazia\/SQLite-Deleted-Records-Parser."},{"key":"ref_13","unstructured":"Daniels, P.L. (2021, November 08). Undark\u2014A SQLite Deleted and Corrupted Data Recovery Tool. Available online: http:\/\/pldaniels.com\/undark\/."},{"key":"ref_14","unstructured":"Miller, P., and Bryce, C. (2019). Learning Python for Forensics, Packt Publishing. [2nd ed.]."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"S31","DOI":"10.1016\/j.diin.2019.04.017","article-title":"bring2lite: A Structural Concept and Tool for Forensic Data Analysis and Recovery of Deleted SQLite Records","volume":"29","author":"Meng","year":"2019","journal-title":"Digit. Investig."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"27","DOI":"10.46386\/ijcfati.v1i1-3.17","article-title":"Making the Invisible Visible\u2013Techniques for Recovering Deleted SQLite Data Records","volume":"1","author":"Pawlaszczyk","year":"2021","journal-title":"Int. J. Cyber Forensics Adv. Threat Investig."},{"key":"ref_17","first-page":"301110","article-title":"Dead Man\u2019s Switch: Forensic Autopsy of the Nintendo Switch","volume":"36","author":"Farrant","year":"2021","journal-title":"Forensic Sci. Int. Digit. Investig."},{"key":"ref_18","first-page":"300999","article-title":"Digital forensic tools: Recent advances and enhancing the status quo","volume":"34","author":"Wu","year":"2020","journal-title":"Forensic Sci. Int. Digit. Investig."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Garfinkel, S.L. (2009, January 21). Automating disk forensic processing with SleuthKit, XML and Python. Proceedings of the 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering, Berkeley, CA, USA.","DOI":"10.1109\/SADFE.2009.12"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Liu, Y., Xu, M., Xu, J., Zheng, N., and Lin, X. (2016). SQLite forensic analysis based on WAL. International Conference on Security and Privacy in Communication Systems, Springer.","DOI":"10.1007\/978-3-319-59608-2_31"},{"key":"ref_21","unstructured":"Miller, P., and Bryce, C. (2019). Learning Python for Forensics: Leverage the Power of Python in Forensic Investigations, Packt Publishing."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Shahi, D. (2015). Apache Solr, Apress.","DOI":"10.1007\/978-1-4842-1070-3"},{"key":"ref_23","unstructured":"Microsoft (2021, December 01). Windows Push Notification Services (WNS) Rview. Available online: https:\/\/docs.microsoft.com\/en-us\/windows\/uwp\/design\/shell\/tiles-and-notifications\/windows-push-notification-services--wns--overview\/."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.diin.2019.02.005","article-title":"A survey on forensic investigation of operating system logs","volume":"29","author":"Studiawan","year":"2019","journal-title":"Digit. Investig."},{"key":"ref_25","unstructured":"Dent, A. (2013). Getting Started with LevelDB, Packt Publishing."},{"key":"ref_26","unstructured":"Focus, F. (2021, November 13). After SQLite, What Next? A Must-Read Primer on LevelDB. Available online: https:\/\/www.forensicfocus.com\/articles\/after-sqlite-what-next-a-must-read-primer-on-leveldb\/."}],"container-title":["Forensic Sciences"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2673-6756\/2\/1\/7\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T22:12:14Z","timestamp":1760134334000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2673-6756\/2\/1\/7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,1,31]]},"references-count":26,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2022,3]]}},"alternative-id":["forensicsci2010007"],"URL":"https:\/\/doi.org\/10.3390\/forensicsci2010007","relation":{},"ISSN":["2673-6756"],"issn-type":[{"value":"2673-6756","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,1,31]]}}}