Forensic Analysis of the Windows 10 Activity Timeline

No ratings

Presented at TechnoSecurity&DigitalForensics 2019 by

Vico Marziale

The Activity Timeline feature was released in Windows 10 version 1803. It tracks many types of activity including websites accessed, documents opened and edited, applications executed, and even details when a user was actively engaged in a specific activity. Its purpose is to remind users of past activities, and allow them to continue activities at a later time, including across devices. Fortunately it is also a gold mine for investigators. This session will present an examination of the timeline from the perspective of its usefulness to digital forensics investigations. Topics covered include: Examination and configuration from the Windows UI; Exploration of on-disk and registry-based configuration files;Description of the structure of the main data store, ActivitiesCache.db; and More. In the end, attendees will have a firm understanding of this new forensic artifact and how to immediately apply the evidence it contains to their cases.