Blog >> Windows 10 Timeline

Investigating Windows 10 Timeline

11/02/2022 Friday

Windows 10 Timeline was introduced by Microsoft as part of Windows 10 April 2018 Update (Windows 10 version 1803). This feature enables the users to view their currently running apps and look back at their previous activities such as opened documents, programs, images, videos or visited websites. It also enables the users to synchronize their activities across their devices.

Windows 10 Timeline is enabled by default; however, users can disable the feature or control what the timeline displays. In addition, some of the apps are not shown in the timeline even though the user has recently opened them. This may be due to the fact that the feature is not yet supported by all applications.

According to Microsoft's official website, the timeline may only view 3 to 4 days of activity history and users need to sign into services such as Microsoft 365 to be able to track back 30 days of activities. Windows 10 Timeline can be accessed by clicking on the Task View icon, which is located to the right of the search box or by pressing Windows + Tab on the keyboard.

All currently open windows will appear at the top of the screen and below it is the user's previous activities. The scroll bar at the right side of the screen can be used to navigate through the timeline.

Digital Forensics Value of Windows 10 Timeline Artifacts

Windows 10 Timeline provides information about the applications that were executed on the computer within the last 30 days, such as the application name, time when the application was launched, and application usage duration. This type of information is of forensic value, as it can help examiners in reconstructing previous events on a particular device; even if the files, documents or applications have been deleted.

Location of Windows 10 Timeline Artifacts

User activates displayed in the timeline are stored in ActivitiesCache.db which is located at: C:\Users\[profile]\AppData\Local\ConnectedDevicesPlatform\L.[profile]\ActivitiesCache.db

Structure of Windows 10 Timeline Artifacts

ActivitiesCache.db is an SQLite database and it contains multiple tables. To be more specific, 7 tables (Activity, ActivityOperation, Activity_PackageId, AppSettings, DataEncryptionKeys, ManualSequence and Metadata); however, only a subset of the tables contain forensically valuable information.

Analyzing Windows 10 Timeline Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to analyze Windows 10 Timeline artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select Windows 10 Timeline Artifact:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of the Windows 10 Timeline artifact in ArtiFast software.

Windows 10 Timeline Artifact

This artifact contains information related to the user activity. The details you can view include:

For more information or suggestions please contact: