Back to binalyze.com

Timeline

Overview

Evidence: Timeline Description: Collect Timeline Category: System Platform: Windows Short Name: timeline Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): Yes

Background

Windows Timeline provides a chronological record of user activities, including application usage, file access, and system events. This data is essential for understanding user behavior and reconstructing activity timelines.

Data Collected

This collector gathers structured data about timeline.

Timeline Data

Field
Description
Example

ID

Primary key (auto-increment)

1

ActivityID

Activity identifier

12345678-1234-1234-1234-123456789012

Username

Username

Administrator

ApplicationName

Application name

Microsoft Edge

Platform

Platform

Windows

ParentActivityID

Parent activity ID

87654321-4321-4321-4321-210987654321

AppActivityID

Application activity ID

app-activity-123

ActivityType

Activity type

1

ActivityStatus

Activity status

0

Tag

Activity tag

web-browsing

Priority

Activity priority

1

IsLocalOnly

Local only flag

0

PlatformDeviceID

Platform device ID

device-123

DDSDeviceID

DDS device ID

dds-456

Payload

Activity payload

{"url":"https://example.com"}

IsRead

Read status

1

ETag

Entity tag

12345

LastModifiedTime

Last modified time

2023-10-15 14:30:25

ExpirationTime

Expiration time

2023-10-16 14:30:25

CreatedInCloud

Created in cloud time

2023-10-15 14:30:25

StartTime

Activity start time

2023-10-15 14:30:25

EndTime

Activity end time

2023-10-15 14:35:25

LastModifiedOnClient

Last modified on client

2023-10-15 14:30:25

OriginalLastModifiedOnClient

Original last modified on client

2023-10-15 14:30:25

LocalExpirationTime

Local expiration time

2023-10-16 14:30:25

Collection Method

This collector parses the necessary data from the timeline table.

This collector collects files from the following locations:

  • %LOCALAPPDATA%\ConnectedDevicesPlatform\

Usage

This evidence is crucial for forensic investigations as it provides chronological user activity records. It helps investigators understand user behavior, detect unauthorized activities, and reconstruct activity timelines. The data can reveal application usage, file access patterns, and potential security incidents. Analysts can use this information to identify user compromises, trace activities, and assess user security posture.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

PreviousThumbcacheNextTypedPaths

Last updated

Was this helpful?