Windows Timeline

Overview

Evidence: Windows Timeline Description: Collect Windows Timeline Category: System Platform: windows Short Name: tmln Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): Yes

Background

Windows Timeline (ActivitiesCache.db) tracks user activities like app usage and file access. This data is essential for reconstructing user behavior and sequences of actions.

Data Collected

This collector gathers structured data about windows timeline.

Collection Method

This collector copies ActivitiesCache.db from user profiles, queries the Activity table, and records normalized fields into timeline.

Forensic Value

This evidence is crucial for forensic investigations as it provides rich user activity telemetry for timeline analysis.