Windows 10 Activity Timeline parser
Introduced in Windows 10 April 2019 Update, Windows 10 Timeline stores user's recent activity; opened apps, documents, visited sites. The activity is stored in a SQLite database ActivitiesCache.db
located in \Users\%profile name%\AppData\Local\ConnectedDevicesPlatform\L.%profile name%\
.
This artifact can help examiners determine and profile user activity during forensic investigations, as interesting features of the activities runtime are stored inside the database.
Aion arguements are the Activity Timeline database and the timezone of the system that is being analyzed.
python3 aion.py -o report.csv ActivitiesCache.db Antarctica/Davis
- Optionally, the rendered output can be stored into a csv file to make analysis easier
- By default aion will also display the UTC
$ python3 aion.py -h
usage: aion.py [-h] [-o OUTPUT] f dbtz
positional arguments:
f ActivitiesCache file
dbtz Timezone of examined system
optional arguments:
-h, --help show this help message and exit
-o OUTPUT, --output OUTPUT
CSV filename to extract the raw database
One nice trick to list all available timezones:
for tz in pytz.all_timezones:
print tz