WindowsTimeline Versions Save

Windows 10 (v1803+) ActivitiesCache.db parsers (SQLite, PowerShell, .EXE)

v.2.0.77.0

3 years ago
  • Added Hex Offset in the Clipboard text carver
  • Added column with Clipboard Type info (in anticipation of upcoming Clipboard change)
  • Updated estimation of Win10 version identification (based on the dB)
  • Changed 1703/1709 queries to show more data (Win10 v1709 and earlier have the following line in the Smartlookup View query preventing display of deleted entries:) LEFT OUTER JOIN Activity ON ActivityOperation.Id = Activity.Id WHERE [O].[OperationType] <> 3

v.2.0.75.0

3 years ago
  • Changed the queries so that all timestamps are (as they should be) in UTC
  • Updated IANA/OLSON TimeZone support (does not account for Daylight savings)
  • Included 'Clipboard Text Carver' option

NOTE: In previous 'WindowsTimeline parser' versions timestamps are in examiner's Local Time

v1.0.4.0

3 years ago

Update : - Added tooltips - Changed Base64 conversion from ASCII to UTF8.

v.1.0.2.0

3 years ago 
- Retrieves (carves) current & deleted Clipboard text entries from an ActivitiesCache db or db-wal file.
- Displays offset of entry in the file & decoded text
- Allows Copy of a selection or all of the results
- Allows export to "|" separated CSV

          Example:
           - WindowsTimeline.exe: 15 clipboard text entries (SQLite query)
           - ClipboardTextEntries.exe: 224 from the db & 19 from the db-wal

v.2.0.74.0

3 years ago
  • Minor GUI scaling & file output fixes

v.2.0.72.0

3 years ago

  • Quite a few updates/improvements, plus:

    • Show estimation of originating Win10 version in the status bar while processing
    • Added GMT representation of the Timezone (based on Olson/IANA lists) (does not account for Daylight savings)
    • Added option to view Clipboard history (if available) in a separate window
    • Added option to export Clipboard history (if available) separately in a CSV

v.2.0.70.0

3 years ago
  • Added support for all ActivitiesCache.dbs (from 1709-2004+) done limited testing on 1709 dbs due to the scarcity of them
  • Added some column info tooltips
  • Many small improvements

v.2.0.67.0

3 years ago
  • Minor fix

v.2.0.64.0

3 years ago
  • Added support for 'ActivityEngagementFlags' in ActivityType 6 entries (Win10 v.2004+)
  • Fixed error not displaying ParentActivityId

v.2.0.63.0

3 years ago

Added support for Device Type 16 (Windows 10 Tablet PC) Added option to view All the Devices in the selected NTUser.dat in a popup Added some coloring to ease viewing large dB sets

Note: If you need/want to manually download "System.Data.SQLite" the location of the downloads is https://system.data.sqlite.org/index.html/doc/trunk/www/downloads.wiki
WindowsTimeline.exe looks for this file: "C:\Program Files\System.Data.SQLite\2010\bin\System.Data.SQLite.dll"