CHFI (312-49) Digital Forensics Simulation
Investigation Scenario
During an insider threat investigation, a corporate laptop was seized from an employee suspected of exfiltrating sensitive intellectual property. The employee claims they never accessed or opened the document "Project_Titan.docx" and states they were working on benign administrative tasks throughout the day.
The forensic investigator needs to reconstruct a chronological timeline of the user's activities to verify this alibi. The investigator intends to parse a specific Windows 10 feature that tracks application execution, file access, and clipboard history over the past 30 days.
Evidence Collected
Question
In Windows 10, the "Timeline" feature records user activities. This data is stored in which database?
Expert Analysis
1. What evidence shows
The scenario requires the extraction of a 30-day chronological history of application execution and file access. The artifact location explicitly points to the ConnectedDevicesPlatform directory, which is the backend framework for the Windows 10/11 Timeline feature.
2. Identify forensic stage
Analysis: The investigator is currently parsing collected logical artifacts (a specific database) to conduct a timeline analysis of the suspect's behavior.
3. Why correct answer is correct (A)
ActivitiesCache.db is the SQLite database that underpins the Windows 10 Timeline feature (introduced in version 1803). It contains extensive records of user activities, including when applications were launched, files were opened, web pages were visited (in supported browsers), and clipboard history. This database is a goldmine for determining user intent and chronological actions.
4. Why others are wrong
B. WebCache.dat: This is an Extensible Storage Engine (ESE) database used primarily by legacy Internet Explorer and Edge for storing web browsing history, cookies, and cached files. It is not the Windows Timeline database.
C. History.db: While similar sounding, this is a generic filename typically associated with specific web browsers (like Firefox or Chrome), not the Windows OS-level activity tracker.
D. Timeline.xml: This is a distractor. The Timeline feature uses a robust SQLite relational database, not a flat XML file, to handle complex activity syncing and querying.
5. Real-world forensic action
In practice, a digital forensic investigator extracts the ActivitiesCache.db file from a disk image and parses it using an SQLite database viewer (like DB Browser for SQLite) or specialized forensic tools like Eric Zimmerman’s W10Timeline tool or Magnet AXIOM. The primary tables analyzed are Activity (what was done) and ActivityOperation (when and how it was interacted with).
6. MINI LESSON: Windows 10 Timeline Forensics
- Structure: The database relies heavily on JSON blobs within the SQLite tables. The
Payloadcolumn often contains detailed JSON data showing file paths, application IDs, and even small image thumbnails. - Cloud Synchronization: If the user is signed in with a Microsoft Account, Timeline data can sync across multiple devices. Investigators may find artifacts originating from a different physical machine entirely.
- Volatility: Users can manually clear their Timeline via Windows Settings. However, investigators should always parse the WAL (Write-Ahead Log) file (
ActivitiesCache.db-wal), which often contains deleted, uncommitted, or recently purged records that haven't been fully overwritten.
Ready for the next case?
Explore more CHFI simulations and master the digital forensics lifecycle.
Explore more CHFI simulations