Activities Cache

Purpose and Function

The Activities Cache is a key component of the Windows Timeline feature, introduced in Windows 10 (version 1803) and present in Windows 11. The primary goal of this feature is to create a rich, chronological history of a user's activities—such as applications launched, documents opened, and websites visited—allowing the user to seamlessly resume tasks across different sessions and even different devices linked to the same Microsoft Account.

From a DFIR perspective, the ActivitiesCache.db database is an exceptionally detailed artifact. It provides a user-centric log of system interactions, offering deep context about not just what applications were run, but how and for how long they were used, often linking them to specific files or resources.

Location and Dependencies

The Activities Cache is stored as an SQLite database file within each user's profile.

  • Location: C:\Users\%username%\AppData\Local\ConnectedDevicesPlatform\{UserProfile_ID}\ActivitiesCache.db

The population and accessibility of this artifact are dependent on several system settings and services:

  • System Settings: The user must have "Activity history" enabled in their Windows privacy settings.

  • System Services: The "Connected User Experiences and Telemetry" service (also known as DiagTrack) must generally be running for the database to be actively populated.

  • Encryption: Depending on system configuration and user account settings, the database content may be encrypted, requiring forensic tools that can handle decryption.

Stored Metadata

As an SQLite database, ActivitiesCache.db contains multiple tables that store a wealth of structured information. Key metadata found within includes:

  • Application Information: The name and path of the application that generated the activity (e.g., javaw.exe, explorer.exe).

  • Activity Type: The nature of the user's interaction (e.g., UserEngaged, Open).

  • Focus Time: Detailed timestamps indicating the StartTime and EndTime of an activity, which can be used to calculate how long an application was in the foreground.

  • Display Text and Content: Rich contextual information, such as the window title of the application, the name of the document being edited, or the URL of the website being visited.

  • Payload Data: Often a JSON blob containing detailed, application-specific information about the activity, which can include full file paths or other unique identifiers.

Forensic Value

The Activities Cache provides a uniquely comprehensive view of a user's workflow, making it invaluable for reconstructing a sequence of events.

  • Rich Timeline: It offers a more detailed and context-aware timeline than many other execution artifacts. It doesn't just show that a program was run; it can show that a user opened a specific file with that program and worked on it for a specific duration.

  • Corroboration of User Intent: The data can help establish user intent. For example, it might show a user opening a web browser, navigating to a cheat website, downloading a file, opening a .zip archive, and then launching an executable from within it—all as a series of connected activities.

  • Persistence: The database can retain activity history for a significant period (typically up to 30 days by default), preserving evidence that might be cleared from more volatile artifacts.

  • Recovery of Deleted File Traces: It can contain references (e.g., display text or payload data) to files that have since been deleted from the filesystem, proving their prior existence and use.

The complexity of the database, coupled with potential encryption, means that specialized forensic tools are the recommended method for analysis.

Reflection points (SS Contest)

For a ScreenSharer, the Activities Cache can be the source that ties all other pieces of evidence together into an undeniable story.

  • Building a Narrative: This is its greatest strength in an SS. You're not just presenting isolated artifacts; you're showing a step-by-step narrative of the player's actions. For example: "At 15:10, your browser activity shows you visited cheats.com. At 15:12, an activity for WinRAR shows you opened SuperAim.zip. At 15:13, this database shows the execution of SuperAim.exe."

  • Dependency Check: During a check, if this artifact is missing data when it should be active, it could be a sign that the user has deliberately disabled activity history tracking in their privacy settings—a suspicious act in itself.

PreviousRecentFileCacheNextSystem Resource Usage Monitor (SRUM)

Last updated