ActivitiesCache.db (Windows Timeline)

WindowsUser ActivityDisk Image

Location

C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\<folder>\ActivitiesCache.db

Description

SQLite database powering Windows Timeline (Win10 1803+) tracking application usage, file access with full paths, URLs visited, and clipboard content history with base64-encoded payloads retained for approximately 12 hours.

Forensic Value

ActivitiesCache.db provides a detailed timeline of user activity across applications with precise timestamps. It records which applications were in focus, which files were opened (with full paths), and browser URLs visited. The clipboard history feature stores base64-encoded clipboard content for approximately 12 hours, potentially capturing copied passwords, commands, or sensitive data. Activity entries persist across reboots and are not cleared by standard history deletion methods.

Tools Required

KAPEWxTCmd (Eric Zimmerman)DB Browser for SQLiteAutopsy

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target ActivitiesCache

WxTCmd

WxTCmd.exe -f "C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\<folder>\ActivitiesCache.db" --csv C:\output --csvf ActivitiesCache.csv

SQLite

sqlite3 "ActivitiesCache.db" "SELECT AppId, ActivityType, datetime(LastModifiedTime,'unixepoch'), Payload FROM Activity ORDER BY LastModifiedTime DESC"

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1005T1115

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote