Exploring the Windows Activity Timeline, Part 1: The High Points
Hello everyone! I’m Dr. Vico Marziale (@vicomarziale), Senior Digital Forensics Researcher here at BlackBag. In this installment, I’d like to start a series of posts digging into the Windows Activity Timeline (from here on, just “Timeline”). We begin this first post with the most important question of all: what can this artifact do for your investigations?
The Good Stuff
The Timeline can tell you all kinds of useful information, including:
- Applications a user has executed
- When the app was started
- When the app was closed
- Each time the user was actively engaged with the app
- URLs visited using the above apps
- Files accessed using the above apps
- Text and files the user has copied/pasted
The system configuration that affects the Timeline is complex, but the data is generally stored for the past 30 days, more if you leverage Volume Shadow Copies (VSCs) and backups. Also, depending on configuration, the Timeline on one machine can store this same information about a user’s actions on other machines! Some of the data can even come from other devices that run OSs other than Windows (for instance, Android and macOS). Needless to say, a lot going on here.
Starting in version 1803, Windows 10 started tracking user activities specifically to support the new Timeline feature. Timeline provides users a UI view of currently running apps and other apps that had been used recently, along with some info on what the user was doing in that app. Clicking the app tile in the UI resumes that activity in the app – like a URL that was opened in a web browser, or a file that was being edited in a word processing app. For those who haven’t seen, it looks like this:
Up at the top we see boxes (“tiles”) for apps that are currently open. Below those we see tiles for apps used earlier today, and below those, tiles for apps used in previous days. Scrolling down shows more history up to a maximum of 30 days. Each tile includes the name of the app, the file or URL currently open, and possibly a screenshot of the app. In addition to scrolling, a user can search using the icon in the upper right. Right away this should strike any investigator as interesting – Windows is clearly tracking a wealth of data about user activities. This would be useful enough just as a live triage technique, but as this data is also stored somewhere on the system, who knows what other goodies are stored there as well. Let’s take a closer look.
Where is the Good Stuff?
The main Timeline data store is located in each user’s home directory at the following path:
In the above, <folder> can be any of the following based on the type of account the user has logged in with:
- Local user account: L.<local user account name> (e.g., “L.vico”)
- Microsoft account: Microsoft ID number (e.g., “cdd048cc6c17532e”)
- Azure Active Directory account: AAD.XXXXX
Note that a single user’s directory can have multiple login type folders (e.g., both an “L.vico” and a “cdd048cc6c17532e” folder). This can happen when a user initially uses a local login and then changes to a Microsoft account.
In case you need to find the Microsoft account name for the Microsoft ID, the mapping can be found at in the registry at:
In the above, we can see that the Microsoft ID (cid) “cdd048cc6c17532e” maps to the user name “firstname.lastname@example.org.”
What does it look like?
The ActivitiesCache.db SQLite database has a simple schema with just over a handful of tables. The schema changes a bit depending on the version of Windows 10 (1803, 1809, etc.), but basically looks like this:
Yes, there are a lot of columns, including seven that hold timestamps (like many of us, I love finding new timestamps). If, for the moment, we think of each tile we saw in the first screenshot above as an activity described by a row in this table, then we can talk about some of the more important columns from a forensics perspective. We can easily take a look at the data in BlackLight (2019r3) by going to Actionable Intel and then looking on the left for Program Execution -> Activities Cache -> Activity
A GUID identifying this activity. It may not seem important at the moment, but as we dig deeper in this series, its importance will become apparent, so we point it out here.
A JSON formatted list of identifiers for this app across platforms where it is supported. Because of the synchronized cross-platform features of the Timeline, the app is not specified as the exact executable that ran as in other artifacts that track process execution (e.g., prefetch, or userassist), but rather as the set of apps that can continue this activity across platforms. We can see below that this was clearly Edge being used, though there is no “.exe” file mentioned.
That being said, for some apps you do see the actual executable in the list as for notepad.exe below:
While we’re here I’m just going to throw this screenshot in too as a teaser for upcoming posts in this series (note the “platform” values):
This is an app-supplied identifier for the activity. It often includes info on where in the app the user was, e.g., what web page the user was on or what file the app had open, which is clearly useful to an investigation. Below we see that the app, Edge here, was opened to https://dfrws.org:
Many different types of activities are tracked, including when a user opens an app, when a user is engaged with an app, clipboard actions, and more. The two most signifigant activity types are 5: user started an activity (e.g., opened an app); and 6: user engaged an app (e.g., brought the app into focus).
As you may guess, for activity type 5, this is when the user opened the app. For activity type 6, this the time the user began engaging with the app.
The same holds here. For activity type 5, this is when the user closed the app, where for activity type 6, this is when the user ended that engagement with the app (e.g., brought another app into focus).
Payload holds different types of data depending on the activity type. For activity type 5, it holds information that describes how to display the tile in the Timeline UI. This includes all of the text in and around the tile, and as we saw above, that generally includes the name of the app, what file or URL was opened in the app, and more. Below, we see the payload tells us the app display name, “010 Editor,” and the file that was opened:”C:\\Users\\USSF-JKreese\\Documents\\Logs\\Log Files\\USSF Crypt.torrent.” Sometimes there is considerably more data in the payload and other times considerably less, but almost always the name of the app is provided. (And don’t ask about FileShellLink – haven’t figured that one out yet.)
For activity type 6, there is an entirely different kind of information in the payload, namely the amount of time the user was engaged with the app for this engagement period, and the time zone the user was in. Below we see that the user was engaged with the app for 202 seconds and was in the “America/Chicago” timezone.
If we look at the App Id for the above activity type 6 we see that the app being used was Chrome.
Putting It All Together
If we take all of the pieces we’ve seen above and put them together, we can get a pretty detailed look at a user’s interaction with an app over a session of usage.
Here we’ve used Blacklight’s filtering function to focus on activity from just one app – IrfanView – by filtering on entries where the App ID contains the string “IrfanView.” We see an activity type 5 with a start time of 2019-01-09 19:58:04 (UTC), which indicates that the user opened the app at then.
If we look at the payload for the activity type 5 activity, we can see the file that the user used IrfanView to open, with the complete path to what may be a removable drive, is: “F:\\Actuals\\1-1-879×485.jpg.”
If we look at the payload for one of the Activity Type 6 entries, it indicates that the user interacted with IrfanView for 11 seconds from 2019-01-09 19:58:05 (UTC) to 2019-01-09 19:58:16 (UTC). The other Activity Type 6 entries detail other interactions.
These artifacts give an amazingly granular view of the user’s interactions with the app, much more than is generally provided by other process execution artifacts. And in a well-used system there can be thousands of activities stored in the db.
In this first installment of the series, we have seen the basics of what analysis of the Windows Activity Timeline can do for your case, and we’ve only scratched the surface of all of the ways this artifact can be leveraged. In upcoming posts, we’ll take a closer look at configuration options that can dramatically affect what is stored in the database, how synced data looks, what is stored in the other tables in the database, and more. In the meantime, happy hunting!
- Exploring the Windows Activity Timeline, Part 2: Synching Across Devices - March 24, 2020
- Apple’s (Not Quite) Secure Notes - March 3, 2020
- Exploring the Windows Activity Timeline, Part 1: The High Points - January 21, 2020