Timeline ActivitiesCache Parser (tac)
Introduction
In the spring of 2018, Microsoft released a Windows 10 update with the capability to show a chronology of actions taken by the user. This new application is called Timeline and is part of Windows Task View. It allows one to go back in time to find the items previously worked on. It has a history from the most recent tasks to a few weeks ago (up to 30 days). Whether going back to a previous Internet search that was done some time ago or continuing on with the document that was been read or edited, the functionality is built into the Timeline application to do this.
For the forensic analyst this type of activity collection is very useful. The service is turned on by default and requires one to explicitly disable the functionality if the user does not wish to have their actions recorded. If the activity history is enabled, it may include such details as: which file was viewed and/or edited, website visited, the times all this occurred, etc.
The database storing the user's activity is the ActivitiesCache.db. Each user account has its own database, and it can be found in this location: C:\Users\<useracct>\AppData\Local\ConnectedDevicesPlatform\L.<useracct>\ActivitiesCache.db.
Below is the menu with the various options available:
![menu of options](./prototypes/tac/images/menu.png)
When looking at the parse results of tac, one can see the application run, when it was run and how long it was running. The expiration time is something that allows the timeline to only keep those items on the list that are within a set amount of time to keep the timeline of items manageable. There are many other fields that are used in the database that are not shown below; many of them still need to be studied to determine what they are and if they are of forensic value.
![Sample subset output](./prototypes/tac/images/sample.subset.output.png)
There is an experimental option in tac to try to recover records that are located in discarded, unused or slack space. The tool tries to do this on a best effort basis and is invoked with the -incl_slack option. Surprisingly the number of recovered records can be significant in some cases. More information about how this is done is discussed in the user's guide.
For more information
The user's guide can be viewed here
If you would like more information about tac, contact us via email.
Downloads
Intel 32-bit Version | Intel 64-bit Version | ARM 64-bit Version | ||||
Windows: | tac32.v.0.34.win.zip | tac64.v.0.34.win.zip | tac64a.v.0.34.win.zip | md5/sha1 | ||
Linux: | tac32.v.0.34.lin.tar.gz | tac64.v.0.34.lin.tar.gz | tac64a.v.0.34.lin.tar.gz | md5/sha1 | ||
Mac OS X: | Not Available | tac.v.0.34.dmg | tac.v.0.34.dmg | md5/sha1 | ||
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present. |