github.com/kacos2000/windowstimeline

Windows 10 Timeline

• WindowsTimeline paser

  
  

  Works with any ActivitiesCache.db (Windows 1803/1809/1903/1909 ..)
  - Decodes Clipboard Text
  - Matches dB device information with data from the registry (HKCU or NTuser.dat)
  - Shows all the important information from JSON blobs ..
  - Optionally exports output to "|" delimited .csv in a timestamped folder in the form of "WindowsTimeline_dd-MMM-yyyyTHH-mm-ss".
  

  Parses:
  - Standalone ActivitiesCache.db
  - CurrentUser's selected ActivitiesCache.db with matching registry (HKCU) device entries
  - Standalone ActivitiesCache.db with offline NTUser.dat device entries
  

  Note1: Requires "System.Data.SQLite". If not available, it will download and install automatically.
  Note2: Runs on Windows 10 x64
  

---

SQLite queries to parse Windows 10 (1803+) Timeline's ActivitiesCache.db Database

Either import the queries (.sql file) to your SQLite program, or Copy/Paste the code to a query tab. Your software needs to support the SQLIte JSON1 extension.

• Windows timeline database query (WindowsTimeline.sql)

  Updated to work with Win10 v1903 (Build 19023.1)
  

  Screenshots of WindowsTimeline.sql

  

SQLite Tables processed:

• Activities,
• Activity_PackageID,
• ActivityOperation

---

A presentation of Windows Timeline from BlackBag.

---

NEW (5/2019)

>> Revised query << for Windows Timeline - works with all versions (1803,1809,1903+) and is based on the smartlookup view #dfir. (Tested on Win10 pro 1903 (Build 19023.1))

• ActivityTypes observed:

  • 2 (Notifications) {seen only in Win10 v1709}
  • 5 (Open Application/File/Webpage)
  • 6 (Application in Use/Focus)
  • 10 (Clipboard Text - for a duration of 43200 seconds or 12 hours exactly)
  • 11,12,15 Windows System operations such as:
    • Microsoft.Credentials.Vault
    • Microsoft.Credentials.WiFi
    • Microsoft.Default
    • Microsoft.Credentials
    • Microsoft.Personalization
    • Microsoft.Language
    • Microsoft.Accessibility*
  • 0,1,3,7,13 unknown yet
  • 16 (Copy/Paste Operation - Copy or Paste is shown in the Group field of the db)

• *Windows versions (OSBuild) supporting Timeline:**
  

  • March 2019 Update (v1903 18875)
    
  • October 2018 Update (v1809 - 17763)
    
  • April 2018 Update (v1803 - 17134)
    

• Related

  • Win10 YourPhone app

  • Win10 Notifications.

---

Other queries (Win10 - 1803): (Build 19023.1)

1. A re-formated Smartlookup view query - Smartlookup is a view included in ActivitiesCache.db. This query makes it a bit more readable but does not extract the data in the BLOBs (does not need the JSON1 extension).
2. Activity_PackageID timeline query - Creates a timeline according to the Expiry Dates in the Activity_PackageID table.
3. PackageID check - Check that the 'PackageID' in the 'Activity.AppId' json field has the same value as the 'Activity_PackageId' table's 'PackageName' field (for x_exe and Windows_win32 entries).
4. App_Platform - A simple query to help understand the different PlatformID combinations (extracted from the AppID json field)

Other queries (Win10 - 1809/1903):

1. A re-formated Smartlookup view query (1809/1903) - Smartlookup for Win10 v1809 ActivitiesCache.db. (does not need the JSON1 extension).

2. WindowsTimeline (1809/1903) - Full SQLite query that works with Win10 v1809/1903 ActivitiesCache.db. Will not work with earlier Windows versions (1803) as the latest Windows version has more dB fields.

3. WindowsTimeline (1903) - Full SQLite query that works with Win10 v1903 ActivitiesCache.db. Will not work with earlier Windows versions (1803/1809) as the latest Windows version 1903 (19H1) has more dB fields. Now copy/paste operations can be seen as well as clipboard text (Base64 encoded):

   

   --> Clipboard copy/paste operations (1903) - SQLite query to get just clipboard related data.

---

• About the clipboard sync:
  * Clipboard in Windows 10
  * Get help with clipboard (Applies to: Windows 10)
  * Using Windows 10’s New Clipboard: History and Cloud Sync
  

Tested on:

• DB Browser for SQLite 3.10.1,
• SQLiteStudio as well as
• SQLite Expert Pro with the JSON1 extension
• and Microsoft Windows 10 version 1803, 1903 (OS builds from 17134.48 to 17134.254) and version 1809 (Insider's Build 17754.1) and 1903 (19023.1)

---

Note: The output of the queries can be exported as a TX or CSV so that it can be used with log2timeline, TimelineExplorer or MS Excel. For example, in DB Browser for SQLite at the bottom right corner, click on

and select CSV. This will open this delimiter options window. After you make any needed changes (e.g. select comma as the delimiter), click ok,

and you will be presented with another window to select Folder and Filename to save the CSV file.

---

• Documentation

  • WindowsTimeline.pdf - Documentation for the database and its entries. Updated with information for the upcoming Win10 v1809 & v1903 upgrades.
  • A Forensic Exploration of the Microsoft Windows 10 Timeline - (Journal of Forensic Sciences DOI:10.1111/1556-4029.13875) - (Win10 1803)
    

    ---

• PowerShell scripts (Win10 - 1803,1809,1903+)

  :shipit: Require SQLite3.exe
  Note: The PowerShell scripts are not the fastest way to parse Windows Timeline (~16min for a 10500 entry db)

  • Instructions (How To Download & Install SQLite)

    • 

    Note1 - Add C:\sqlite to the system PATH
    Note2 - After you install the latest SQLite3.exe, check the version from inside powershell by running SQLite3.exe -version (you may already have an older version in your Path - you can check that by running FindSQLite3.ps1)

  • WindowsTimeline.ps1

    Powershell script to check the Platform DeviceID values in the database against the HKCU DeviceCache entries in the registry. It appears that Type 8 entries are Smartphones, type 9 Full Sized PCs and type 15 Laptops).
    Note that Platform Device IDs representing a specific device change over time.

    • Note: According to the Connected Devices Platform specification these are the device types. Curiously, type 15 is not in that list:
      

      • 1.Xbox One
      • 6.Apple iPhone
      • 7.Apple iPad
      • 8.Android device
      • 9.Windows 10 Desktop
      • 11.Windows 10 Phone
      • 12.Linux device
      • 13.Windows IoT
      • 14.Surface Hub

    

  • WinTimelineLocal.ps1

    Powershell script that runs a simple SQLite query against one of the local ActivitiesCache.db's available to the user, and adds info for the PlatformID from the registry. Json fields are parsed with Powershell's convertfrom-json.
    08/19 Updated to decode Win10 1903 Clipboard entries from Base64 to Text
    

  • WinTimelineOffline.ps1

    Powershell script that runs a simple SQLite query against any user selected ActivitiesCache.db, and adds info for the PlatformID from the related, user selected, NTUser.dat file. Json fields are parsed with Powershell's convertfrom-json.
    08/19 Updated to decode Win10 1903 Clipboard entries from Base64 to Text
    

---

• Devices that support Universal Windows Platform (UWP)
  * PCs and laptops (Screen sizes 13” and greater)
  * Tablets and 2-in-1s (Screen sizes: 7” to 13.3” for tablet, 13.3" and greater for 2-in-1)
  * Xbox and TV (Screen sizes: 24" and up)
  * Phones and phablets (Screen sizes: 4'' to 5'' for phone, 5.5'' to 7'' for phablet)
  * Surface Hub devices (Screen sizes: 55” and 84'')
  * Windows IoT devices (Screen sizes: 3.5'' or smaller, Some devices have no screen)
  

---

Related Windows Apps

• Connected Devices

Status

• [x] Queries completed.
• [x] Powershell - check DeviceIDs in both registry & database completed.
• [x] Powershell - decode Base64 Clipboard Text entries.
• [x] Win10 Notifications Database.
• [ ] Decoding of QuickXOR field values (e.g. FileShellLink, PlatformDeviceID, ‘AppActivityId and PackageIDHash)