What is it and why is it important to digital forensics?
ActivitiesCache.db is an SQLite Database that keeps track of activity on devices, such as application and services usage, files opened, websites browsed, and importantly, the DURATION of the execution. Windows 10 Timeline was introduced in Windows 10 version 1803, and is turned on locally by default. Stores up to 30 days of content and open-source tools make it easy to parse out and enrich your investigative findings.
Windows 10 Timeline has two purposes for the end user:
- Timeline feature
- Documentation and user experience sync to the cloud
Local Services that make this happen:
- Microsoft Graph’s Cross-device experience (Project Rome)
- Windows Connected Devices Platform Service:
Windows Connected Devices Platform Service provides a way for devices such as PC’s and smartphones to discover and send messages between each other. Allows for user activity to be resumed and/or synchronized across multiple devices. This is the service that is actively monitoring user interactions and creating entries into the database
User can access the Windows Timeline to review past activities through the Task Bar:
Documents, executables, and folders seen as tiles:
Activities History
Setting can be changed in the Activities History. Which is a Windows GUI to adjust settings for Timeline and Cloud Sync.
SoOoOoOo, where is the database?
\Users\%USERNAME%\AppData\Local\ConnectedDevicesPlatform\FOLDER\ActivitiesCache.db
FOLDER can be one or more of these
- L.username (Local Username)
- 16 alphanumeric characters (Microsoft ID)
- AAD.xxxxxxx-xxxx-xxx-xxx-xxxxxxxxxx (MS Azure Active Directory ID)
Additional files in path:
- DB-SHM File: shared memory file that contains only temporary data.
- DB-WAL File: write ahead log. Stores a certain amount of information before committing the information to the DB.
If you are interested in learning about the structure/schema of the database and the how events get pushed to it go here: https://kacos2000.github.io/WindowsTimeline/WindowsTimeline.pdf
Tools to parse the database?
Zimmerman Tools
- WxTCmd.exe (Windows 10 Timeline database parser). https://ericzimmerman.github.io/#!index.md
Autopsy Plugin
- Process_ActivitesCache.py (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_ActivitiesCache)
SQLite Browser
- https://sqlitebrowser.org
AXIOM
- Turn on by selecting Windows Timeline option under OPERATING SYSTEM prior to ingestion
My personal favorite is Eric Zimmerman’s WxTCmd.exe.
To run this open up your PowerShell console and run:
WxTCmd.exe -f “C:\Users\eric\AppData\Local\ConnectedDevicesPlatform\L.USER\ActivitiesCache.db”--csv c:\temp
Your output should look something like this:
USE CASE 1: Program Execution
Mimikatz from the C:\temp folder
Prefetch
— — — — — — — —
UserAssist
— — — — — — — —
BAM
— — — — — — — —
AppCompatCache
This artifact captures the last modified date of the executable and not the actual execution time of the so this is expected and does not match any activitycache.db entries.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
USE CASE 2: Document Creation and Opening
test.txt in C:\temp
RecentDocs
— — — — — — — —
IE Browser Cache
— — — — — — — —
Recent Items
— — — — — — — —
OpenSavePidlMRU
I hope you enjoyed my quick research into Windows 10 Timeline and use this artifact in your future investigations. If you have any questions feel free to email me at joeforensics@proton.me
Happy hunting
References:
- https://kacos2000.github.io/WindowsTimeline/WindowsTimeline.pdf
- https://blog.group-ib.com/windows10_timeline_for_forensics
- https://markmckinnon-80619.medium.com/activitiescache-autopsy-plugin-d9a478e956b
- https://support.microsoft.com/en-us/windows/-windows-activity-history-and-your-privacy-2b279964-44ec-8c2f-e0c2-6779b07d2cbd
