WindowsTimeline

Windows 10 (v1803+) ActivitiesCache.db parsers (SQLite, PowerShell, .EXE)

---

Project maintained by kacos2000 Hosted on GitHub Pages — Theme by mattgraham

Note: Starting in July 2021, if you have your activity history synced across your devices through your Microsoft account (MSA), you’ll no longer have the option to upload new activity in Timeline. You’ll still be able to use Timeline and see your activity history (information about recent apps, websites and files) on your local device. AAD-connected accounts won’t be impacted. source

Windows 10 Timeline

• WindowsTimeline parser (WindowsTimeline.exe)

  
  
  

  Works with any ActivitiesCache.db (Windows 1703/1709/1803/1809/1903/1909/2004 ..)
  - Decodes Clipboard Text
  - Matches dB device information with data from the registry (HKCU or NTuser.dat)
  - Shows all the important information from JSON blobs ..
  - Optionally exports output to “|” delimited .csv in a timestamped folder in the form of “WindowsTimeline_dd-MMM-yyyyTHH-mm-ss”.
  

  Parses:
  - Standalone ActivitiesCache.db
  - CurrentUser’s selected ActivitiesCache.db with matching registry (HKCU) device entries
  - Standalone ActivitiesCache.db with offline NTUser.dat device entries
  

  Note1: Requires “System.Data.SQLite.dll”.
  If it’s not available, it show prompt to download and install automatically.
  Installation path: C:\Program Files\System.Data.SQLite\2010\bin\
  Note2: Runs on Windows 10 x64
  

  • ActivityTypes observed:

    • 2 (Notification)
    • 3 (Mobile Device Backup ?/azure authentication)
    • 5 (Open Application/File/Webpage)
    • 6 (Application in Use/Focus)
    • 10 (Clipboard Text - for a duration of 43200 seconds or 12 hours exactly)
    • 11,12,15 Windows System operations such as:
      • Microsoft.Credentials.Vault
      • Microsoft.Credentials.WiFi
      • Microsoft.Default
      • Microsoft.Credentials
      • Microsoft.Personalization
      • Microsoft.Language
      • Microsoft.Accessibility*
    • 0,1,4,7,8,9,13 unknown yet
    • 16 (Copy/Paste Operation - Copy or Paste is shown in the Group field of the db)

  • Device Types:
    (According to the Connected Devices Platform specification & observation)*
    

    • 0.Windows 10X (dual screen) device (Observed & Verified)
    • 1.Xbox One (Verified)
    • 6.Apple iPhone
    • 7.Apple iPad
    • 8.Android device (Verified)
    • 9.Windows 10 Desktop (Verified)
    • 11.Windows 10 Phone
    • 12.Linux device
    • 13.Windows IoT
    • 14.Surface Hub
    • 15.Windows 10 Laptop PC (Observed & Verified)1
    • 16.Windows 10 Tablet PC (Observed & Verified)
      
      

    Windows.EDB has the same info but in text form eg:

    Field Name	Field Value
    4124-System_ActivityHistory_DeviceMake	HP
    4125-System_ActivityHistory_DeviceModel	HP 250 G6 Notebook PC
    4126-System_ActivityHistory_DeviceName	DESKTOP-HL2LCVA
    4127-System_ActivityHistory_DeviceType	Laptop

• Clippy (previously ‘WindowsTimeline Clipboard Text Carver’)

  
  

  • Retrieves current & deleted Clipboard text entries from an ActivitiesCache db or db-wal file.
  • Displays offset of entry in the file & decoded text
  • Allows Copy of a selection or all of the results

  • Allows export to “

    ” separated CSV

  Example:
  - WindowsTimeline.exe: 15 clipboard text entries (SQLite query)
  - Clippy.exe: 224 from the db & 19 from the db-wal
  

---

• Devices that support Universal Windows Platform (UWP)
  * PCs and laptops (Screen sizes 13” and greater)
  * Tablets and 2-in-1s (Screen sizes: 7” to 13.3” for tablet, 13.3” and greater for 2-in-1)
  * Xbox and TV (Screen sizes: 24” and up)
  * Phones and phablets (Screen sizes: 4’’ to 5’’ for phone, 5.5’’ to 7’’ for phablet)
  * Surface Hub devices (Screen sizes: 55” and 84’’)
  * Windows IoT devices (Screen sizes: 3.5’’ or smaller, Some devices have no screen)
  ______________________________

• Documentation

  • WindowsTimeline.pdf - Documentation for the database and its entries. Updated with information for the ~upcoming~ Win10 v1809 & v1903+ upgrades. Updated with Clipboard History info
  • A Forensic Exploration of the Microsoft Windows 10 Timeline - (Journal of Forensic Sciences DOI:10.1111/1556-4029.13875) - (Win10 1803)
    
  • Exploring the Windows Activity Timeline, Part 1: The High Points
    
  • Exploring the Windows Activity Timeline, Part 2: Synching Across Devices
    
  • Exploring the Windows Activity Timeline, Part 3: Clipboard Craziness
    ______________________________

• Related

  • Win10 YourPhone app
    
  • Win10 Notifications.
    ______________________________

SQLite queries to parse Windows 10 (1803+) Timeline’s ActivitiesCache.db Database

Either import the queries (.sql file) to your SQLite program, or Copy/Paste the code to a query tab. Your software needs to support the SQLIte JSON1 extension.

• Windows timeline database query (WindowsTimeline.sql)

  Updated to work with Win10 v1903 (Build 19023.1)
  

  Screenshots of WindowsTimeline.sql

  

SQLite Tables processed:

• Activities,
• Activity_PackageID,
• ActivityOperation

---

Related content:

• 
  

• 

• 

• Build cross-device apps, powered by Project Rome _______________________________

(5/2019)

» Revised query « for Windows Timeline - works with all versions (1803,1809,1903+) and is based on the smartlookup view. (Tested on Win10 pro 1903 (Build 19023.1))

• Windows versions (OSBuild*) supporting Timeline:
  
  • March 2019 Update (v1903 18875) ..
    
  • October 2018 Update (v1809 - 17763)
    
  • April 2018 Update (v1803 - 17134)
    

---

Other queries (Win10 - 1803): (Build 19023.1)

1. A re-formated Smartlookup view query - Smartlookup is a view included in ActivitiesCache.db. This query makes it a bit more readable but does not extract the data in the BLOBs (does not need the JSON1 extension).
2. Activity_PackageID timeline query - Creates a timeline according to the Expiry Dates in the Activity_PackageID table.
3. PackageID check - Check that the ‘PackageID’ in the ‘Activity.AppId’ json field has the same value as the ‘Activity_PackageId’ table’s ‘PackageName’ field (for x_exe and Windows_win32 entries).
4. App_Platform - A simple query to help understand the different PlatformID combinations (extracted from the AppID json field)

Other queries (Win10 - 1809/1903):

1. A re-formated Smartlookup view query (1809/1903) - Smartlookup for Win10 v1809 ActivitiesCache.db. (does not need the JSON1 extension).
2. WindowsTimeline (1809/1903) - Full SQLite query that works with Win10 v1809/1903 ActivitiesCache.db. Will not work with earlier Windows versions (1803) as the latest Windows version has more dB fields.

3. WindowsTimeline (1903) - Full SQLite query that works with Win10 v1903 ActivitiesCache.db. Will not work with earlier Windows versions (1803/1809) as the latest Windows version 1903 (19H1) has more dB fields. Now copy/paste operations can be seen as well as clipboard text (Base64 encoded):

   

   –> Clipboard copy/paste operations (1903) - SQLite query to get just clipboard related data. ______________________________

   • About the clipboard sync:
     * Clipboard in Windows 10
     * Get help with clipboard (Applies to: Windows 10)
     * Using Windows 10’s New Clipboard: History and Cloud Sync
     

Tested on:

• DB Browser for SQLite 3.10.1+,
• SQLiteStudio as well as
• SQLite Expert Pro with the JSON1 extension

• and Microsoft Windows 10 version 1803, 1903 (OS builds from 17134.48 to 17134.254) and version 1809 (Insider’s Build 17754.1) and 1903 (19023.1) _______________________________

  Note: The output of the queries can be exported as a TX or CSV so that it can be used with log2timeline, TimelineExplorer or MS Excel. For example, in DB Browser for SQLite at the bottom right corner, click on

  

  and select CSV. This will open this delimiter options window. After you make any needed changes (e.g. select comma as the delimiter), click ok,

  

  and you will be presented with another window to select Folder and Filename to save the CSV file.

  ---

• PowerShell scripts (Win10 - 1803,1809,1903+)

  :shipit: Require SQLite3.exe
  Note: The PowerShell scripts are not the fastest way to parse Windows Timeline (~16min for a 10500 entry db)

  • Instructions (How To Download & Install SQLite)
    • 

    Note1 - Add C:\sqlite to the system PATH
    Note2 - After you install the latest SQLite3.exe, check the version from inside powershell by running SQLite3.exe -version (you may already have an older version in your Path - you can check that by running FindSQLite3.ps1)

  • WindowsTimeline.ps1

    Powershell script to check the Platform DeviceID values in the database against the HKCU DeviceCache entries in the registry. It appears that Type 8 entries are Smartphones, type 9 Full Sized PCs and type 15 Laptops).
    Note that Platform Device IDs representing a specific device change over time.

    

  • WinTimelineLocal.ps1

    Powershell script that runs a simple SQLite query against one of the local ActivitiesCache.db’s available to the user, and adds info for the PlatformID from the registry. Json fields are parsed with Powershell’s convertfrom-json.
    08/19 Updated to decode Win10 1903 Clipboard entries from Base64 to Text
    

  • WinTimelineOffline.ps1

    Powershell script that runs a simple SQLite query against any user selected ActivitiesCache.db, and adds info for the PlatformID from the related, user selected, NTUser.dat file. Json fields are parsed with Powershell’s convertfrom-json.
    08/19 Updated to decode Win10 1903 Clipboard entries from Base64 to Text
    

Related Windows Apps

• Connected Devices

Related to Windows Timeline

• Windows Search database Windows.EDB
  sample entry:

  

Status

• [x] Queries completed.
• [x] Powershell - check DeviceIDs in both registry & database completed.
• [x] Powershell - decode Base64 Clipboard Text entries.
• [x] Win10 Notifications Database.
• [ ] Decoding of QuickXOR field values