Vico Marziale, Ph.D. (BlackBag Technologies)

Abstract

The Activity Timeline feature was released in Windows 10 version 1803. It tracks many types of activity including websites accessed, documents opened and edited, applications executed, and even details when a user was actively engaged in a specific activity. Its purpose is to remind users of past activities, and allow them to continue activities at a later time, including across devices. Fortunately it is also a gold mine for investigators. We will present an overview of it from the perspective of its usefulness to digital forensics, including but not limited to the following list of topics: we’ll explore the timeline and its configuration from the UI; show where configuration options are stored on disk; explore the layout of the main artifact – the ActivitiesCache.db sqlite db stored in the home directory of each user on the system; discuss usefulness of key fields in the db including explaining the meaning of the many timestamps stored there; list and show examples of the types of activity tracked in the timeline; explain cloud based syncing of activities across devices logged in to by the same user; and point attendees to (probably many) areas for further research.