Exploring the Windows Activity Timeline, Part 1: The High Points
Being able to determine when, where, and what apps a suspect has been using can be critical when trying to move an investigation forward. At Cellebrite, we’re always focused on providing you with the easiest ways to determine the most relevant information to provide actionable intelligence faster.
In this three-part series, Dr. Marziale will focus on, the “Windows Activity Timeline” and answer the most important question of all: what can this artifact do for your investigations?
Part 1 will provide you with a solid overview of what “Timeline” is all about and some of the basic information it provides. Part 2 and Part 3 will dig deeper to show you the full breadth of useful information Timeline can provide. Let’s get started.
The Good Stuff
The Timeline can tell you all kinds of useful information including:
- What applications a user has executed.
- When the app was started.
- When the app was closed.
- The timestamp when the user was actively engaged with the app.
- URLs visited using the above apps.
- Files accessed using the above apps.
- Text and files the user copied and pasted.
- What applications a user has executed.
The system configuration that affects the Timeline is complex, but the data is generally stored for at least 30 days, (more if you leverage Volume Shadow Copies (VSCs) and backups). Also, depending on configuration, the Timeline on one machine can store this same information about a user’s actions on other machines! Some of the data can even come from other devices that run operating systems other than Windows (for instance, Android and macOS). Needless to say, there is a lot going on here.
How Timeline Works
Starting in version 1803, Windows 10 started tracking user activities specifically to support the new Timeline feature. Timeline provides users a UI view of currently running apps and other apps that have been used recently, along with some information on what the user was doing in the app.
Clicking the app tile in the UI resumes that activity in the app – like a URL that was opened in a web browser or a file that was being edited in a word processing app. For those who haven’t seen it, it looks like this:
Up at the top, we see boxes (“tiles”) for apps that are currently open. Below those, we see tiles for apps used earlier today. And below those, we can see the tiles for apps used in previous days.
Scrolling down shows more history up to a maximum of 30 days. Each tile includes the name of the app, the file or URL currently open, and (sometimes) a screenshot of the app. In addition to scrolling, a user can search using the icon in the upper right-hand corner.
Right away this should strike any investigator as interesting – Windows is clearly tracking a wealth of data about user activities. This would be useful enough just as a live triage technique, but as this data is also stored somewhere on the system, who knows what other goodies may be stored there as well. Let’s take a closer look.
Where is the Good Stuff?
The main Timeline data store is located in each user’s home directory at the following path:
In the above, <folder> can be any of the following based on the type of account the user has logged in with:
- Local user account: L.<local user account name> (e.g., “L.vico”)
- Microsoft account: Microsoft ID number (e.g., “cdd048cc6c17532e”)
- Azure Active Directory account: AAD.XXXXX
Note that a single user’s directory can have multiple login-type folders (e.g., both an “L.vico” and a “cdd048cc6c17532e” folder). This can happen when a user initially uses a local login and then changes to a Microsoft account.
In case you need to find the Microsoft account name for the Microsoft ID, the mapping can be found in the registry at:
In the above example, we can see that the Microsoft ID (cid) “cdd048cc6c17532e” maps to the user name “email@example.com.”
What Does It Look Like?
The ActivitiesCache.db SQLite database has a simple schema with a handful of tables. The schema changes a bit depending on the version of Windows 10 (1803, 1809, etc.), but basically, it looks like this:
For this post we will focus on the Activity table only as seen below:
Yes, there are a lot of columns, including seven that hold timestamps (like many of us, I love finding new timestamps). If for the moment, we think of each tile we saw in the first screenshot above as an activity described by a row in this table, we can then talk about some of the more important columns from a forensics perspective.
We can easily take a look at the data in Cellebrite Inspector (2019r3) by going to Actionable Intel and then looking on the left for Program Execution -> Activities Cache -> Activity
Identifying The GUID
It may not seem important at the moment, but as we dig deeper into this series, the importance of a GUID identifying an activity will become apparent, so we point it out here.
A JSON-formatted list of identifiers for this app across platforms may also be available where it is supported. Because of the synchronized cross-platform features of the Timeline, the app is not specified as the exact executable that ran as other artifacts that track process execution do (e.g., Prefetch, or User Assist), but rather as the set of apps that can continue this activity across platforms. We can see below that Edge was clearly being used, though there is no “.exe” file mentioned.
That being said, for some apps you will see the actual executable in the list as you do for notepad.exe below:
While we’re here I’m just going to throw this screenshot in as a teaser for upcoming posts in this series (note the “platform” values):
This is an app-supplied identifier for the activity. It often includes information on where in the app the user was, e.g., what web page the user was on or what file the app had open, which is clearly useful to an investigation. Below we see that the app, “Edge”, was opened to https://dfrws.org:
Many different types of activities are tracked in Timeline, including when a user opens an app when a user is engaged with an app, clipboard actions, and more. In the screenshot below, the two most significant activity types are 5: user started an activity (e.g., opened an app);
and 6: user engaged an app (e.g., brought the app into focus).
Start Time: As you may guess, for activity type 5, this is when the user opened the app. For activity type 6, this is the time the user began engaging with the app.
End Time: The same holds here. For activity type 5, this is when the user closed the app. For activity type 6, this is when the user ended that engagement with the app (e.g., brought another app into focus).
Payload holds different types of data depending on the activity type. For activity type 5, it holds information that describes how to display the tile in the Timeline UI. This includes all of the text in and around the tile and, as we saw above, that generally includes the name of the app, what file or URL was opened in the app, and more.
Below, payload tells us the app display name, “010 Editor,” and the file that was opened: “C:\\Users\\USSF-JKreese\\Documents\\Logs\\Log Files\\USSF Crypt.torrent.” Sometimes there is considerably more data in the payload and other times considerably less, but almost always the name of the app is provided. (And don’t ask about FileShellLink – I haven’t figured that one out yet.)
For activity type 6, there is an entirely different kind of information in the payload, namely the amount of time the user was engaged with the app for this engagement period and the time zone the user was in at the time of the engagement.
Below we see that the user was engaged with the app for 202 seconds and that he or she was in the “America/Chicago” time zone.
If we look at the App Id for the above activity type 6, we see that the app being used was Chrome.
Putting It All Together
If we take all of the pieces we’ve seen above and put them together, we can get a pretty detailed look at a user’s interaction with an app over a session of usage.
Here we’ve used Cellebrite Inspector’s filtering function to focus on activity from just one app – IrfanView. By filtering on entries where the App ID contains the string “IrfanView,” we see an activity type 5 with a start time of 2019-01-09 19:58:04 (UTC), which indicates when the user opened the app.
If we look at the payload for the activity type 5 activity, we can see the file that the user used IrfanView to open, with the complete path to what may be a removable drive: “F:\\Actuals\\1-1-879×485.jpg.”
If we look at the payload for one of the Activity Type 6 entries, it indicates that the user interacted with IrfanView for 11 seconds from 2019-01-09 19:58:05 (UTC) to 2019-01-09 19:58:16 (UTC). The other Activity Type 6 entries detail other interactions.
These artifacts give an amazingly granular view of the user’s interactions with the app, much more than is generally provided by other process-execution artifacts. And in a well-used system, there can be thousands of activities stored in the db.
In the first installment of this series, we have seen the basics of what analysis of the Windows Activity Timeline can do for your case and we’ve only scratched the surface in showing all of the ways Cellebrite Inspector can help you leverage this artifact in your investigations.
In upcoming posts, we’ll take a closer look at configuration options that can dramatically affect what is stored in the database, how synced data looks, what is stored in the other tables in the database, and more. In the meantime, happy hunting!
Learn more about how Cellebrite Inspector and Cellebrite Digital Collector (for analyzing Mac devices) can help you in your investigations, here.