Exploring the Windows Activity Timeline, Part 2: Synching Across Devices
By: Vico Marziale (@vicomarziale), Senior Digital Forensics Researcher
Hello, and welcome back for the second installment of Exploring the Windows Activity Timeline (just “Timeline” from here on out). In my last blog, we covered the Timeline’s basics: background, where it is, what it looks like on disk, and some low hanging investigatory nuggets. But there’s plenty more forensics fun to be had, so today I’d like to dig a little deeper.
To briefly recap, the Timeline is a Windows 10 facility for tracking many types of user activity so that it can remind the user what they’ve been up to, and let them simply click a UI tile to resume one of those previous activities, e.g., open a browser up to a webpage the user previously visited.
Last time we focused solely on a single machine, but the Timeline has far more to offer than that. As you might have gathered from the ConnectedDevicesPlatform part of the path where the main database (db) resides, it can sync a user’s activities across multiple machines. In the simplest case, this only requires that the user log in to multiple Windows 10 machines with the same Microsoft ID. When the user logs into a second Windows 10 machine with the same Microsoft ID used on the first machine, activities stored in the db will sync between them. The same happens for more than two machines as well.
To illustrate, I performed the following test:
- I spun up one of several Windows 10 VMs (version 1903) I use for testing, logged in with one of my Microsoft ID test accounts, and then did some “normal user stuff” – web surfing in a few browsers, created and edited some documents, and viewed photos.
- Later, I created a new VM (version 1909). I then logged in with the same test Microsoft ID test account I used on the 1903 VM.
Examining the ActivitiesCache.db on the new 1909 VM this is what I saw:
We can see two different values highlighted in the Platform Device ID column. This field holds a base64 encoded binary blob that doesn’t seem particularly useful at first glance. But when we look at the registry for the vico user account on the 1909 machine at NTUSER.DAT/Software/Microsoft/Windows/CurrentVersion/TaskFlow/DeviceCache, we see that these values can be mapped to specific distinct machines.
Note the two highlighted base64 string Key Names in figure 2 and 3 match the two Platform Device IDs in figure 1. While the DeviceMake and DeviceModel match, their DeviceName values differ. Looking at the actual computer names on the two VMs in their respective registries at SYSTEM/CurrentControlSet/Control/ComputerName/ComputerName, we see the following for the 1909 machine:
The 1903 machine shows:
We can see that the DeviceName values match the names of the respective VMs. Using this mapping we can easily determine on which machine a particular activity took place on.
On an even more interesting note, if we look for the oldest activity start times in the 1909 VM’s ActivitiesCache.db in figure 6 below, we see that activities go back to 2020-01-03. I created that VM on 2020-02-21. We not only have synched activities, but we have history from before this machine was even created. Now ain’t that fun?
This has significant investigative ramifications. For example, if a suspect “loses” a machine that may have contained data relevant to an investigation, any other machine the user logged into with the same Microsoft ID may hold traces. Even if the suspect purchases a brand new machine to pass off as an older machine, as long as they use the same Microsoft ID it can potentially hold traces of activity from before the new machine was in use.
But wait – there’s more!
In addition to synching activities across Windows devices, the Timeline can also sync certain kinds of activities from Android, macOS, and iOS. In my testing so far, if a user installs Microsoft Office 365 and selects the default options (which will also install OneDrive), then activities like accessing office documents are synched to any Windows 10 machine a user logs into with the same Microsoft account.
There are several limitations in addition to only synching Office-related activities, however. First, the sync occurs from other OSs to Windows but not in reverse – there is no evidence of activity that takes place on a Windows machine is stored on non-Windows systems. Which makes sense since as far as I know there is no ActivitesCache.db on the other OSs (if anyone has evidence to the contrary, I’d love to hear about it). Other limitations are discussed below in examples from macOS and Android.
Below you can see activities performed on a macOS machine, by looking at the ActivitiesCache.db on a Windows system.
The lower right pane displays information from the Activity 5 highlighted in top right pane. Remeber Activity Type 5 indicates app opened. there are several usefule pieces of information shown:
- Lines 1, 3, 5, and 6 all indicate that a document called coffee blog.docx was accessed, and that it is stored in OneDrive.
- Line 2 indicates that the program used to access the document was Word. (This looks like any other activity that occurred locally on the Windows machine, and other fields in the db corroborate these findings.)
- Line 4 (the most interesting) show the devicePlatform indicated the machine that did the accessing was a “Mac” machine.
Unfortunately, that’s where the good news ends for the most part. In the upper right pane, the Platform Device ID is empty – there is no way to know which Mac machine the activity took place on. All we know is that it is a machine that has Office365 installed and the known Microsoft account was used.
Looking at the Actyivity Type 6 entry (which indicates app in focus) for the same activity (figure 8), the lower right pane shows that the activeDurationSeconds is zero. It appears to always be set to zero, , so we have no idea how long the user was engaged with the app. Further, the userTimeZone that appears in Windows-based Activity Type 6 activities is missing here too. Next we will look at Android, and we will see the story is much the same.
Figure 9: Android Activity Type 5
Just as in the Mac example, if we look the lower right pane in figure 9 above, we can see evidence that coffee blog.docx was accessed from OneDrive using Word. The devicePlatform here though is “Android,” indicating that the activity occurred on an android system (here, a Pixel 3 phone). Again, in the upper right pane we see that the Platform Device ID is blank, so we have no idea which android system the activity originated on.
Also, as we saw in the Mac example, looking at an Activity Type 6 entry for the same activity we see that the activeDurationSeconds is zero, and the userTimezone is missing.
These caveats aside, being able to see evidence of activity that took place on mac and android devices from a Windows device that has been logged in using the same Microsoft ID is still significant win for forensics investigators. This is an artifact that even highly technical users are likely unaware of (till now, I guess), making it potentially even more valuable.
To sum up, the Windows Activity Timeline sync functionality means that you may well find on one Windows machine evidence of activities that occurred on other machines – even those that aren’t Windows, making it a potential game changer in some situations. Add this technique to your arsenal, and happy hunting!
- Exploring the Windows Activity Timeline, Part 2: Synching Across Devices - March 24, 2020
- Apple’s (Not Quite) Secure Notes - March 3, 2020
- Exploring the Windows Activity Timeline, Part 1: The High Points - January 21, 2020