Evidence: Windows Timeline
Description: Collect Windows Timeline
Category: System
Platform: windows
Short Name: tmln
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Windows Timeline (ActivitiesCache.db) tracks user activities like app usage and file access. This data is essential for reconstructing user behavior and sequences of actions.
Data Collected
This collector gathers structured data about windows timeline.
Collection Method
This collector copies ActivitiesCache.db from user profiles, queries the Activity table, and records normalized fields into timeline.
Forensic Value
This evidence is crucial for forensic investigations as it provides rich user activity telemetry for timeline analysis.
