Windows 10 Timeline Blog

Investigating Windows 10 Timeline

11/02/2022 Friday

Windows 10 Timeline was introduced by Microsoft as part of Windows 10 April 2018 Update (Windows 10 version 1803). This feature enables the users to view their currently running apps and look back at their previous activities such as opened documents, programs, images, videos or visited websites. It also enables the users to synchronize their activities across their devices.

Windows 10 Timeline is enabled by default; however, users can disable the feature or control what the timeline displays. In addition, some of the apps are not shown in the timeline even though the user has recently opened them. This may be due to the fact that the feature is not yet supported by all applications.

According to Microsoft's official website, the timeline may only view 3 to 4 days of activity history and users need to sign into services such as Microsoft 365 to be able to track back 30 days of activities. Windows 10 Timeline can be accessed by clicking on the Task View icon, which is located to the right of the search box or by pressing Windows + Tab on the keyboard.

All currently open windows will appear at the top of the screen and below it is the user's previous activities. The scroll bar at the right side of the screen can be used to navigate through the timeline.

Digital Forensics Value of Windows 10 Timeline Artifacts

Windows 10 Timeline provides information about the applications that were executed on the computer within the last 30 days, such as the application name, time when the application was launched, and application usage duration. This type of information is of forensic value, as it can help examiners in reconstructing previous events on a particular device; even if the files, documents or applications have been deleted.

Location of Windows 10 Timeline Artifacts

User activates displayed in the timeline are stored in ActivitiesCache.db which is located at: C:\Users\[profile]\AppData\Local\ConnectedDevicesPlatform\L.[profile]\ActivitiesCache.db

Structure of Windows 10 Timeline Artifacts

ActivitiesCache.db is an SQLite database and it contains multiple tables. To be more specific, 7 tables (Activity, ActivityOperation, Activity_PackageId, AppSettings, DataEncryptionKeys, ManualSequence and Metadata); however, only a subset of the tables contain forensically valuable information.

Analyzing Windows 10 Timeline Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to analyze Windows 10 Timeline artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select Windows 10 Timeline Artifact:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of the Windows 10 Timeline artifact in ArtiFast software.

Windows 10 Timeline Artifact

This artifact contains information related to the user activity. The details you can view include:

Application Name - The name of the executable reporting the timeline data.
Display Name - The bar display text.
Content - The content displayed by the app.
Activity ID - The unique identifier of the activity.
Parent Activity ID - The unique identifier of the parent activity.
App Activity ID - The unique identifier of the application activity.
Activity Type - The type of activity (Notification, Mobile Device Backup, Open App/File/Page, App In Use/Focus, Clipboard and Copy/Paste).
Platform - The platform linked to the executable.
Is Local only - Indicates whether the activity occurred locally or on another device.
Group - The group.
Priority - The activity priority.
Platform Device ID - The platform device ID.
DDS Device - DDS Device.
Focus - The application usage duration (in seconds).
ETag - The entity tag.
Tag - The tag.
Is Read - Indicates whether the activity is read.
In Upload Queue - Indicates whether the entry is in the upload queue.
Start Date/Time - The date/time when the activity started.
End Date/Time - The date/time when the activity ended.
Created in Cloud Date/Time - The date/time when the activity was listed in the cloud.
Last Modified Date/Time - The date/time when the activity was last modified.
Last Modified On Client Date/Time - The date/time when the activity was last modified on the client device.
Expiration Date/Time - The date/time when the activity will expire which is 30 days from the activity start time.
Created Date/Time - The date/time when the activity entry was created.