WindowsTimeline Versions Save

[Update Log]

• New Digital Signature
• Updated package

MD5: 8551BD916973919503978168147CD4AB SHA256: DC57AB744335A3F4EE0B499BDFF72F5D4B31D2D1C3979C3BBF4A7EAE82456576

Update :

• New Digital Signature
• Updated package

MD5: F5416897612BFD3CEEC13808FE524E20 SHA256: 87AF5824E86C20F13E6D45595E98801A63D2FF9AF4DED011066DF754652F5780

[Update Log]

• Small Improvement when loading large nr of entries
• Added audible (beep) tone for when the file is blank or not sqlite3/wal

[Change Log]

• New name for 'WindowsTimeline Clipboard Text Carver'
• Still a x64 application
• Added notify icon with context strip menu (right click menu)
• Changed icons

Update : - Minor GUI fixes (e.g. dpi scaling) - Some other minor fixes/updates

- Retrieves (carves) current & deleted Clipboard text entries from an ActivitiesCache db or db-wal file.
- Displays offset of entry in the file & decoded text
- Allows Copy of a selection or all of the results
- Allows export to "|" separated CSV

          Example:
           - WindowsTimeline.exe: 15 clipboard text entries (SQLite query)
           - ClipboardTextEntries.exe: 224 from the db & 19 from the db-wal

Update : - Minor GUI fixes (e.g. dpi scaling)

Note: Duplicate entries could indicate that the clipboard text was in both 'Payload' & 'ClipboardPayload' fields. Typically this occurs in synced entries, but this is not confirmed 100%.

  * Added Search option in Clipboard Text carver window to search the 'Copied Text' entries
  * Added Search option in Application Execution list window to search both 'Application' & 'Description' entries

Update : - Added the option to search copied text items via a Search box:

• Noticeable speed improvement in data display/scrolling
• Added option to show a (sort-able) Application Execution list ('ActivityType' 5 entries) window, with just the following fields (inspired by @keydet89's blog post):
  • StartTime
  • Application
  • Description (file/url opened)
  • Name (Device Name from NTUser.dat) if available
  • DeviceType (from NTUser.dat) if available
• Save dialog now shows a confirmation popup that # files were saved. Saved output includes:
  • ApplicationExecutionTimeline.csv ('ActivityType' 5 entries list) if available
  • ClipboardHistory.csv ('ActivityType' 10 - clipboard text list) if available
  • DatabaseActivityPolicies.json (contents of the 'DatabaseActivityPolicies' field of the 'Metadata' table) if available
  • Device_info.txt (info on known device types)
  • File_Info.csv (OS info & MD5 hash of the ActivitiesCache... files)
  • Registry_devices.csv (Devices listed in NTUser.dat/HKLU) if available
  • WindowsTimeline.csv (the full parsed data from ActivitiesCache.db)
• Note: ClipboardHistory text carver has a separate save dialog option.

Note: Above 'availability' depends on the dB/registry entries

• Small GUI changes
• Now if there is a Timezone entry, the StartTime of that entry is checked against that Timezone's DST settings. If the StartTime is in Daylight Saving Time, the DST time difference (delta) is displayed in the 'DaylightOffset' column i.e. DST (+01:00)
• Experimental interpretation of 'IsRead' & 'UserActionState' fields (very limited data for testing)