ActivitiesCache.db (Windows Timeline)

windowsUser ActivityDisk Image

Location

C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\<folder>\ActivitiesCache.db

Description

SQLite database powering Windows Timeline (Win10 1803+) tracking application usage, file access with full paths, URLs visited, and clipboard content history with base64-encoded payloads retained for approximately 12 hours.

Forensic Value

ActivitiesCache.db provides a detailed timeline of user activity across applications with precise timestamps. It records which applications were in focus, which files were opened (with full paths), and browser URLs visited. The clipboard history feature stores base64-encoded clipboard content for approximately 12 hours, potentially capturing copied passwords, commands, or sensitive data. Activity entries persist across reboots and are not cleared by standard history deletion methods.

Tools Required

KAPEWxTCmd (Eric Zimmerman)DB Browser for SQLiteAutopsy

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical