Windows 10 Timeline was introduced by Microsoft as part of Windows 10 April 2018 Update (Windows 10
version 1803). This feature enables the users to view their currently running apps and look back at
their previous activities such as opened documents, programs, images, videos or visited websites. It also
enables the users to synchronize their activities across their devices.
Windows 10 Timeline is enabled by default; however, users can disable the feature or control what the timeline displays. In addition, some of the apps are not shown in the timeline even though the user has recently opened them. This may be due to the fact that the feature is not yet supported by all applications.
According to Microsoft's official website, the timeline may only view 3 to 4 days of activity history and users need to sign into services such as Microsoft 365 to be able to track back 30 days of activities. Windows 10 Timeline can be accessed by clicking on the Task View icon, which is located to the right of the search box or by pressing Windows + Tab on the keyboard.
All currently open windows will appear at the top of the screen and below it is the user's previous activities. The scroll bar at the right side of the screen can be used to navigate through the timeline.
Windows 10 Timeline provides information about the applications that were executed on the computer within the last 30 days, such as the application name, time when the application was launched, and application usage duration. This type of information is of forensic value, as it can help examiners in reconstructing previous events on a particular device; even if the files, documents or applications have been deleted.
User activates displayed in the timeline are stored in ActivitiesCache.db which is located at: C:\Users\[profile]\AppData\Local\ConnectedDevicesPlatform\L.[profile]\ActivitiesCache.db
ActivitiesCache.db is an SQLite database and it contains multiple tables. To be more specific, 7 tables (Activity, ActivityOperation, Activity_PackageId, AppSettings, DataEncryptionKeys, ManualSequence and Metadata); however, only a subset of the tables contain forensically valuable information.
This section will discuss how to use ArtiFast Windows to analyze Windows 10 Timeline artifacts from Windows
machines and what kind of digital forensics insights we can gain from the artifacts.
After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select Windows 10 Timeline Artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of the Windows 10 Timeline artifact in ArtiFast software.
Windows 10 Timeline Artifact
This artifact contains information related to the user activity. The details you can view include:
For more information or suggestions please contact: email@example.com