TAC – Timeline ActivitiesCache Parser

In the spring of 2018, Microsoft released a Windows 10 update with the capability to show a chronology of actions taken by the user. This new application is called Timeline and is part of Windows Task View. TAC – Timeline ActivitiesCache Parser allows user to use this function and find the items previously worked on. It has a history from the most recent tasks to a few weeks ago (up to 30 days).

Whether going back to a previous Internet search that done some time ago or continuing on with the document that was been read or edited, the functionality is built into the Timeline application to do this.

TAC - Timeline  ActivitiesCache Parser
TAC – Timeline ActivitiesCache Parser

During an incident response this type of activity collection is very useful. The service is turned on by default and requires to explicitly disable the functionality if the user does not wish to have their actions recorded. If the activity history is enabled, it may include such details as: which file was viewed and/or edited, website visited, the times all this occurred, etc.

The database storing the user’s activity is the ActivitiesCache.db. Each user account has its own database, and it can be ound in this location: C:\Users\<useracct>\AppData\Local\ConnectedDevicesPlatform\L.<useracct>\ActivitiesCache.db.

When looking at the parse results of TAC – Timeline ActivitiesCache Parser, one can see the application run, when it was run and how long it was running. The expiration time is something that allows the timeline to only keep those items on the list that are within a set amount of time to keep the timeline of items manageable. There are many other fields that are used in the database that is not shown below; many of them still need to be studied to determine what they are and if they are of forensic value.

TAC - Timeline  ActivitiesCache Parser
TAC – Timeline ActivitiesCache Parser

There is an experimental option in TAC – Timeline ActivitiesCache Parser to try to recover records that are located in discarded, unused or slack space. The tool tries to do this on a best effort basis and is invoked with the -incl_slack option. Surprisingly the number of recovered records can be significant in some cases.

You can read more and download the tool over here: https://tzworks.net/prototype_page.php?proto_id=41

Share