Windows Timeline
Windows Timeline is a cross-device activity tracking feature Microsoft introduced in Windows 10 version 1803. It records a chronological history of every document, website and application a user interacted with. For digital forensics, it is a single-file treasure chest that can definitively place a user in front of specific content at a specific time, even across multiple devices.
Imagine your phone had a magic notebook that automatically wrote down every website you visited, every YouTube video you watched and every document you opened, giving each one an exact timestamp. Windows Timeline is that magic notebook for your PC. Everything you touch gets an entry. If an investigator grabs that notebook, they know exactly what you were doing every moment of every day.
General
Windows Timeline stores its data in a SQLite database named ActivitiesCache.db located in each user's AppData directory under Local\ConnectedDevicesPlatform\. The Connected Devices Platform (CDP) service manages this database and can sync activity entries from other Microsoft-linked devices via the cloud. Each record in the database captures a full JSON payload describing the user's interaction including the application used, the exact content engaged and the active and expiry timestamps. Even when the Timeline feature is voluntarily disabled or cleared by the user, forensic recovery of prior database records is frequently possible depending on SQLite's internal page reuse.
Traces
When we parse the ActivitiesCache.db database, each activity row exposes rich metadata. Here are the critical columns we focus on:
- Application: The exact executable or package name that generated the activity.
- Activity Type: Whether the interaction was a file open, a web visit or focus change.
- Start/End Time: High-resolution UTC timestamps defining when the activity began and when it was last active.
- Content URL / File Path: The concrete resource the user engaged with — the file path or URL.
- Device ID: A unique identifier tying the record to a specific host or synced device.
- and more.
Forensic Value
We mine the Windows Timeline database to establish intent, user presence and interaction history:
- User Presence at Machine: Proving an account was interacting with the system. Cross-reference this with SRUM data to correlate resource consumption with user activity.
- Document Interaction: Proving that a suspect opened a sensitive or illicit file during a specific timeframe.
- Web Browsing History: Recovering website visit records when browser history has been cleared.
- Cross-Device Attribution: Identifying activity synced from mobile or laptop devices linked to the same Microsoft account.
For more Info check out these Articles: SRUM