With support for Windows 10 ending on October 14, 2025, the enterprise shift to Windows 11 is accelerating. This transition introduces a new landscape of digital evidence that incident response and forensics professionals must understand. Key changes in Windows 11’s forensic artifacts can significantly impact how investigations are conducted.

Major New Evidence Sources: Recall and Notepad

One of the most significant and controversial new features is Recall. It periodically captures screenshots of a user’s screen, using a local AI to make the activity searchable. While disabled by default in corporate builds due to privacy concerns, its activation provides a rich source of evidence. Artifacts include raw screenshots, extensive metadata like window titles and process paths, and an encrypted SQLite database. For investigators, this is a potential goldmine for reconstructing user activity.

The standard Notepad application has also been updated to support tabs that retain their state after the program is closed. The artifacts, located in the user’s Local AppData folder, can contain unsaved text. This could be invaluable for recovering malicious scripts, command outputs, or notes left by an attacker.

Key Updates to Existing Forensic Artifacts

Windows 11 also modifies several familiar forensic sources. The Windows Search index, formerly a single `Windows.edb` file, is now divided into three separate SQLite databases. This change provides a more granular view of indexed file data and activity.

The Program Compatibility Assistant (PCA), which tracks application execution, now creates new text-based log files that record program launches initiated through File Explorer. Furthermore, investigators must be aware of subtle but important changes to how file timestamps are handled within the NTFS file system attributes ($MFT). Minor changes also affect the Recycle Bin path and Sticky Notes artifacts.

Source: https://securelist.com/forensic-artifacts-in-windows-11/117680/