Activities Cache Analysis

Introduced in Windows 10 (Build 1803+) and present in Windows 11, the Activities Cache powers the Windows Timeline feature, aiming to provide a chronological view of user tasks across applications and potentially synced devices. The data is stored in an SQLite database named ActivitiesCache.db, located within the user's profile at C:\Users\%username%\AppData\Local\ConnectedDevicesPlatform\{UserProfile_ID}\ActivitiesCache.db. For this database to be actively populated, several prerequisites usually need to be met: the OS must be a compatible version, the "Connected User Experiences and Telemetry" (DiagTrack) service generally needs to be running, and the relevant user activity history settings must be enabled in Windows privacy options. Even then, the database content might be encrypted depending on system configuration.

Despite these dependencies, when populated, the ActivitiesCache.db contains valuable user-centric activity logs, including launched applications, opened file paths, websites visited (browser dependent), start and end timestamps for activities, and application-specific details (like document names or window titles). Forensically, it offers a rich timeline that can corroborate application usage seen elsewhere, track specific file access events, help reconstruct user workflows around specific times, and potentially hold references to files that have since been deleted. Due to potential encryption and the risk of exposing sensitive user data (like linked Microsoft account details) through related registry keys, direct manual parsing is discouraged. The recommended tool is WxTCmd (Eric Zimmerman), a command-line utility specifically designed to parse ActivitiesCache.db, handle potential encryption, and output the data (e.g., to CSV) in a forensically sound manner, mitigating privacy risks associated with manual registry browsing of related keys.