04.10.2019

No Time to Waste: How Windows 10 Timeline Can Help Forensic Experts

Igor Mikhailov
Digital forensic analyst at Group-IB Laboratory of Computer Forensics and Malicious Code Research
Forensic experts often use various timeline tools to reconstruct events that have taken place on a user's computer during a cybersecurity incident or virus attack. A timeline is usually a large file or table with chronologically arranged information about such events.

Processing data carriers to prepare a timeline (e.g. using Plaso) is a long process. This is why the digital forensics community was excited about the new Timeline on Windows 10.
With the April 2018 update, Windows 10 introduced a new feature called Windows 10 Timeline, or simply Timeline. It displays user activity and makes it possible to quickly return to previously opened documents, programs, videos, images, and websites. Windows 10 Timeline is launched by clicking the following icon:
Doing so will display the thumbnails of programs, documents, and websites that were opened recently, or not so recently:
Investigators have identified two issues related to the new feature:

1. Some applications are not displayed in Timeline even if they have recently been opened.

2. Some data from Timeline (earlier data) is sent to Microsoft Cloud.

This means that information obtained through Windows 10 Timeline artifact analysis differs from the type of timelines forensic experts are used to; the latters contain more comprehensive information about events that take place on a given computer.

Windows 10 Timeline should not be confused with timelines created with forensic utilities. For instance, Autopsy, Belkasoft Evidence Center, and AXIOM create timelines that contain much more information about user activity than Windows 10 Timeline.

Windows 10 Timeline can be turned on by opening Settings, going to Privacy > Activity History, and checking the following boxes:

• Let Windows collect my activities from this PC

• Let Windows sync my activities from this PC to the cloud
Location of Windows 10 Timeline forensic artifacts
The catalog Users\%profile name%\AppData\Local\ConnectedDevicesPlatform\ contains a CDP file with information about the last Windows 10 Timeline synchronization with the cloud (CNCNotificationUriLastSynced) and about the user ID (0b5569b899437c21 in the image below).

Catalogue type:
User activity information in Windows 10 Timeline is saved to the file ActivitiesCache.db with the path \Users\%profile name%\AppData\Local\ConnectedDevicesPlatform\L.%profile name%\.

ActivitiesCache.db

ActivitiesCache.db is an SQLite database (version 3). Like any SQLite database, it has two auxiliary files: ActivitiesCache.db-shm and ActivitiesCache.db-wal.
Additional information about deleted records may be contained in unused space, freelists, and the WAL file.
Windows 10 Timeline anatomy
ActivitiesCache.db contains the following tables: Activity, Activity_PackageId, ActivityAssetCache, ActivityOperation, AppSettings, ManualSequence, and Metadata. The ones that hold the most interest for investigators are Activity_PackageId and Activity.
Activity_PackageId table:
The Activity_PackageId table contains records for applications, including paths for executable files (e.g. c:\programdata\firefly studios\stronghold kingdoms\ 2.0.32.1\ strongholdkingdoms.exe), names of executable files, and expiration times for these records. Values located in the Expiration Time column are stored in Epoch Time format.

The records in the Activity_PackageId table are stored for 30 days and can contain information about executable files or documents that are no longer present on the hard drive.

Activity table:
The Activity table has the following fields: Id, AppId, PackageIdHash, AppActivityId, ActivityType, ActivityStatus, ParentActivityId, Tag, Group, MatchId, LastModifiedTime, ExpirationTime, Payload, Priority, IsLocalOnly, PlatformDeviceId, CreatedInCloud, StartTime, EndTime, LastModifiedOnClient, GroupAppActivityId, ClipboardPayload, EnterpriseId, OriginalLastModifiedOnClient, and ETag.

It contains as many as five fields for time tags: LastModifiedTime, ExpirationTime, StartTime, EndTime, and LastModifiedOnClient (this field may be empty and is filled in if the user modifies the file related to that particular table entry).

Paths to the executable files can also be found in this table: F:\\NirSoft\\x64\\USBDeview.exe.

In his article Windows 10 Timeline – Initial Review of Forensic Artefacts, Gary Hunter (pr3cur50r) stresses that values of time tags for deleted files do not change. As for modified documents, time tag volumes do not change instantly but within 24 hours.
How to investigate Windows 10 Timeline
The easiest way is to look at the data contained in ActivitiesCache.db using an SQLite viewer, for example DB Browser for SQLite, which is a free tool.
By switching tables in the Browse Data tab, it is possible to view their contents and record information that is potentially of interest for an investigation.

The second utility we recommend is WxTCmd (Windows 10 Timeline database parser), which is launched from the command line interpreter.
The result is a CSV file that contains file analysis results for ActivitiesCache.db.
The third tool we recommend is AXIOM by Magnet Forensics.

To analyze the artifact, go to the Select Artifacts to Include in Case section:
Analysis results can be viewed in Magnet AXIOM Examiner.

Results of extraction of data from ActivitiesCache.db by AXIOM:
The fourth utility we recommend for analyzing such files is Belkasoft Evidence Center by Belkasoft.

Once you have added a data source (a hard drive, logical drive, folder, or file), select Windows Timeline in System Files in the Add Data Source window.
Once you have completed the data extraction process, the Windows Timeline category will be displayed in Overview. Data extraction results from ActivitiesCache.db will be shown there.

What data extraction results look like:
Using Windows 10 Timeline in Computer Forensics
Data contained in Windows 10 Timeline may be used for issues related to incident response and data breaches.

As an example, a data fragment of ActivitiesCache.db from a computer attacked by hackers is shown below:
As can be seen in the screenshot, the attackers installed TeamViewer (a file from a file sharing website called sendspace.com) and Mimikatz on the victim's computer. An analysis of the events stored in Windows 10 Timeline indicates that the attackers opened TeamViewer logs (TeamViewer14_Logfile.log) via Notepad (notepad.exe). They may have done this to delete or modify the file information.

Below is another example. Highly unusual files were launched on the computer, which means someone may have tried to collect information about the user.
Windows 10 Timeline, the new Windows 10 artifact category, significantly helps investigators in reconstructing events that have taken place on a particular computer in the last 30 days. Moreover, Windows 10 Timeline may provide additional information about files that have been launched on the computer, even if they have been deleted — which is particularly important when it comes to incident response and data breaches.