Monday, April 29, 2019

Windows 10 Timeline Feature


There is a feature in updated versions of Windows 10 called "Timeline".
What might you think a feature with this name would do?

Could you say a similar to a browser history, but a history for the entire computer user activity?
MS might of dropped this one in the laps of forensicators.

Apart from websites that you visited, the Timeline shows the documents you worked with, the games you played, the images you viewed or created and recently executed applications.


Access the Timeline feature by the timeline icon on the bottom toolbar left side of windows startup button.


"WINDOWS KEY + Tab" will also take you there

Additional details about Timeline
Here's some additional information you need to know as you get started with Timeline on Windows 10:

  • Timeline works only on devices running the Windows 10 April 2018 Update and later.
  • Timeline is a feature that works on every version of Windows 10 that is connected using a Microsoft account.
  • Office applications will appear in your timeline, but after saving the document or if auto save is enabled.
  • You can't control which applications appear in your timeline.
  • You can't check your timeline on the web, but you can view your activities in the privacy dashboard of your Microsoft account.
  • You can't change the number of days that Timeline tracks on your devices. It's either 4 days or 30 days if the sync option is enabled.
  • Timeline is supported on a multi-monitor setup, but your timeline will only appear in the display you invoked it.


The feature can be enabled and configured in "Settings --> Privacy --> Activity History"



***FOR FORENSIC PURPOSES


This is almost like a "organization" "productivity" feature, that can also double as a built-in forensics tool for us.

TIMELINE FEATURE DATA BASE FILE:
Located at :


C:\Users\<Username>\AppData\Local\ConnectedDevicesPlatform\L.<Username>\Activites.db


This file, "Activities.db" may be worth the while to parse and capture as a forensic artifact.



Can be viewed in FTK 




OR



Use the DFIR rockstar tool author, Eric Zimmerman's WxTCmd tool.

WxTCmd
Windows 10 Timeline database parser

https://cyberforensicator.com/2018/05/08/wxtcmd-windows-10-timeline-parser/
https://binaryforay.blogspot.com/2018/05/introducing-wxtcmd.html
https://ericzimmerman.github.io/#!index.md


  1. Run the WxTCmd.exe tool against the ActivitiesCache.db file
.\WxTCmd.exe -f C:\Users\Win10\AppData\Local\ConnectedDevicesPlatform\L.Win10\ActivitiesCache.db --csv C:\Users\Win10\Desktop\


2.  Take the outputted csv or tsv(tab separated file) and open with Timeline Explorer(another of Zimmerman's finest)


Open in outputted .tsv file in Timeline Explorer
File-->Open-->path to .tsv


Timeline explorer will parse the Last Modified time, executable ran, display, and content info.




Also possible source for recent MS Edge browser activity





In Conclusion:

Windows 10 Timeline feature is a good feature for us forensicators to know.  The locations and presence of the Activities.db file can be potentially worth our while for recently used activities with timestamps.  And Edge browser recent history forensics with the timeline feature.
Big thanks to Eric Zimmerman for the never ending inspiration and awesome tools he provides the community.


--Bryan



RESOURCE
Microsoft. “{Get Help with Timeline}.” Support.microsoft.com, support.microsoft.com/en-us/help/4230676/windows-10-get-help-with-timeline.






















No comments:

Post a Comment