- Joined
- Jun 28, 2020
- Messages
- 6,777
- Reaction score
- 726
- Points
- 212
- Awards
- 2
r's computer, criminologists often use different types of timeline.
Typically, the timeline is a huge text file or table that contains chronological information about events that happened in a computer.
Processing media to prepare a timeline (such as Plaso) is a time-consuming
process. Therefore, computer criminologists were very happy to learn that in the next update Windows 10 there was a new functionality - Windows 10 Timeline.
"When I first learned about the new Windows feature, I thought, "Great!
Now you don't have to waste time generating timelines." However, as it turned out, my joy was premature," admits Igor Mikhailov, a specialist in the Group-IB Computer Forensics Laboratory. Igor explains how Windows 10 Timeline, a new kind of Windows 10 artifact, has to do with traditional timelines, and what information it contains.
Igor Mikhailov.
As mentioned, windows 10 introduced a new feature called "Windows 10 Timeline" (or abbreviation Timeline) in the April 2018
update. It allows you to view the activity of the computer user and quickly return to previously opened documents and programs, to previously viewed videos and pictures, to websites. In order to open Windows 10 Timeline, you need to click on such an icon:
After that, miniatures of the programs will be
available, documents and sites that opened in the current day or some time ago:
Thus, the information that can be obtained through Windows 10 Timeline analysis is different from the timelines familiar to experts, which contain more complete information about the events that took place on the computer being analyzed.
10 Timeline should not be confused with the timelines created by forensic utilities.
For example, timelines created by Autopsy, Belkasoft Evidence Center, AXIOM, contain significantly more records of the different activities of the user of the computer under study compared to Windows 10 Timeline.
To activate Windows 10 Timeline, the computer user needs to go to the Settings section of the operating system, select the Privacy category, and the Action Journal subcategory, and then tick the
opposite:
Information about user activity in Windows 10 Timeline is stored in the ActivitiesCache file.db along the way: "Users"%profile name%"AppData'Local/ConnectedDevicesPlatform.L.%profile name%.
The ActivitiesCache file.db The ActivitiesCache file.db is a database of S'Lite (version 3).
As with any database of S'Lite, it is characterized by the presence of two activitiesCache.db-shm and ActivitiesCache.db-walauxiliary files.
The anatomy of Windows 10 Timeline ActivitiesCache.db contains the following tables: Activity, Activity_PackageId, ActivityAssetCache, ActivityOperation, AppSettings, ManualSequence, Metadata.
The most interesting for the researcher are the tables Activity_PackageId and Activity).
the table Activity_PackageId contains records for applications, that include ways for executable files (e.g....
c:'programdata'firefly studios' tronghold kingdoms' 2.0.32.1' strongholdkingdoms.exe ...),the names of the executable files, as well as the expiration date for these records. The values in the Expiration Time column are stored in Epoch Time format. Entries in the Activity_PackageId table are stored for 30 days and may contain information about executable files or documents that are no longer on the researched hard drive.
В таблице Activity имеются следующие поля: Id, AppId, PackageIdHash, AppActivityId, ActivityType, ActivityStatus, ParentActivityId, Tag, Group, MatchId, LastModifiedTime, ExpirationTime, Payload, Priority, IsLocalOnly, PlatformDeviceId, CreatedInCloud, StartTime, EndTime, LastModifiedOnClient, GroupAppActivityId, ClipboardPayload, EnterpriseId, OriginalLastModifiedOnClient, ETag.
It contains as many as five time tags: LastModifiedTime, ExpirationTime, StartTime, EndTime, LastModifiedOnClient (this field can be blank - it is filled if the file in question in this table entry has been modified by a computer
user).
In this table you can also find ways to executing files: ..."F:'NirSoft'x64'USBDeview.exe...
Gary Hunter (pr3cur50r) in "Windows 10 Timeline - Initial Review of Forensic Artefacts" indicates that for deleted files, the values of time tags do not change. For modified documents, the values of time tags change not immediately, but within 24 hours.
The easiest way to view the data contained in the ActivitiesCache file.dbis to use the database viewer of the S'Lite.
For example, the free DB Browser for S'Lite. "lazy"
study.
The second utility we recommend using is WxTCmd (Windows 10 Timeline database parser).
A view of this file, opened in Excel The third utility, that we recommend using is Magnet Forensics' AXIOM.
In order for the program to analyze this artifact, you must specify the program to do this section "Select artifacts to include in case."
"lazy"
Results from the ActivitiesCache file.db AXIOM which we recommend using to analyze such files, Belkasoft.
After adding a data source (hard drive, logical drive, directory, or file) in the Add data source window, in the System Files section, you need to select Windows Timeline.
What do the results of data extraction look like by the results of data extraction of the data Timeline in Computer Forensics: use in practice Data, contained in Windows 10 Timeline, can be used to investigate incidents or data leaks.
As an example, we'll show a snippet of data from the ActivitiesCache file.db from a computer attacked by hackers: As you can see from the screenshot, attackers uploaded TeamViewer's victim's computer, a file from the sendspace.com file exchange, Mimikatz.
An analysis of events saved in Windows 10 Timeline shows that attackers opened the Teamviewer Log Logs logs (file TeamViewer14_Logfile.log)with a notebook (file notepad.exe). It is possible to delete or modify the information in this file.
And here's another
example. As you can see, very unusual files were running on the computer. Someone was probably trying to gather information about a computer user.
days. Windows 10 Timeline
Typically, the timeline is a huge text file or table that contains chronological information about events that happened in a computer.
Processing media to prepare a timeline (such as Plaso) is a time-consuming
process. Therefore, computer criminologists were very happy to learn that in the next update Windows 10 there was a new functionality - Windows 10 Timeline.
"When I first learned about the new Windows feature, I thought, "Great!
Now you don't have to waste time generating timelines." However, as it turned out, my joy was premature," admits Igor Mikhailov, a specialist in the Group-IB Computer Forensics Laboratory. Igor explains how Windows 10 Timeline, a new kind of Windows 10 artifact, has to do with traditional timelines, and what information it contains.
Igor Mikhailov.
As mentioned, windows 10 introduced a new feature called "Windows 10 Timeline" (or abbreviation Timeline) in the April 2018
update. It allows you to view the activity of the computer user and quickly return to previously opened documents and programs, to previously viewed videos and pictures, to websites. In order to open Windows 10 Timeline, you need to click on such an icon:
After that, miniatures of the programs will be
available, documents and sites that opened in the current day or some time ago:
- Some apps are not displayed in Timeline
- some of the data from Timeline (earlier data) is transferred to Microsoft Cloud
Thus, the information that can be obtained through Windows 10 Timeline analysis is different from the timelines familiar to experts, which contain more complete information about the events that took place on the computer being analyzed.
10 Timeline should not be confused with the timelines created by forensic utilities.
For example, timelines created by Autopsy, Belkasoft Evidence Center, AXIOM, contain significantly more records of the different activities of the user of the computer under study compared to Windows 10 Timeline.
To activate Windows 10 Timeline, the computer user needs to go to the Settings section of the operating system, select the Privacy category, and the Action Journal subcategory, and then tick the
opposite:
- Allow Windows to collect my actions from this computer
- allow Windows to sync my actions from this computer to the cloud
Information about user activity in Windows 10 Timeline is stored in the ActivitiesCache file.db along the way: "Users"%profile name%"AppData'Local/ConnectedDevicesPlatform.L.%profile name%.
The ActivitiesCache file.db The ActivitiesCache file.db is a database of S'Lite (version 3).
As with any database of S'Lite, it is characterized by the presence of two activitiesCache.db-shm and ActivitiesCache.db-walauxiliary files.
The anatomy of Windows 10 Timeline ActivitiesCache.db contains the following tables: Activity, Activity_PackageId, ActivityAssetCache, ActivityOperation, AppSettings, ManualSequence, Metadata.
The most interesting for the researcher are the tables Activity_PackageId and Activity).
the table Activity_PackageId contains records for applications, that include ways for executable files (e.g....
c:'programdata'firefly studios' tronghold kingdoms' 2.0.32.1' strongholdkingdoms.exe ...),the names of the executable files, as well as the expiration date for these records. The values in the Expiration Time column are stored in Epoch Time format. Entries in the Activity_PackageId table are stored for 30 days and may contain information about executable files or documents that are no longer on the researched hard drive.
В таблице Activity имеются следующие поля: Id, AppId, PackageIdHash, AppActivityId, ActivityType, ActivityStatus, ParentActivityId, Tag, Group, MatchId, LastModifiedTime, ExpirationTime, Payload, Priority, IsLocalOnly, PlatformDeviceId, CreatedInCloud, StartTime, EndTime, LastModifiedOnClient, GroupAppActivityId, ClipboardPayload, EnterpriseId, OriginalLastModifiedOnClient, ETag.
It contains as many as five time tags: LastModifiedTime, ExpirationTime, StartTime, EndTime, LastModifiedOnClient (this field can be blank - it is filled if the file in question in this table entry has been modified by a computer
user).
In this table you can also find ways to executing files: ..."F:'NirSoft'x64'USBDeview.exe...
Gary Hunter (pr3cur50r) in "Windows 10 Timeline - Initial Review of Forensic Artefacts" indicates that for deleted files, the values of time tags do not change. For modified documents, the values of time tags change not immediately, but within 24 hours.
The easiest way to view the data contained in the ActivitiesCache file.dbis to use the database viewer of the S'Lite.
For example, the free DB Browser for S'Lite. "lazy"
study.
The second utility we recommend using is WxTCmd (Windows 10 Timeline database parser).
A view of this file, opened in Excel The third utility, that we recommend using is Magnet Forensics' AXIOM.
In order for the program to analyze this artifact, you must specify the program to do this section "Select artifacts to include in case."
"lazy"
Results from the ActivitiesCache file.db AXIOM which we recommend using to analyze such files, Belkasoft.
After adding a data source (hard drive, logical drive, directory, or file) in the Add data source window, in the System Files section, you need to select Windows Timeline.
What do the results of data extraction look like by the results of data extraction of the data Timeline in Computer Forensics: use in practice Data, contained in Windows 10 Timeline, can be used to investigate incidents or data leaks.
As an example, we'll show a snippet of data from the ActivitiesCache file.db from a computer attacked by hackers: As you can see from the screenshot, attackers uploaded TeamViewer's victim's computer, a file from the sendspace.com file exchange, Mimikatz.
An analysis of events saved in Windows 10 Timeline shows that attackers opened the Teamviewer Log Logs logs (file TeamViewer14_Logfile.log)with a notebook (file notepad.exe). It is possible to delete or modify the information in this file.
And here's another
example. As you can see, very unusual files were running on the computer. Someone was probably trying to gather information about a computer user.
days. Windows 10 Timeline