.. generated, remove this comment to keep this file ``cam.history`` =============== .. code-block:: console $ target-query -f cam.history .. list-table:: Details :widths: 20 80 * - Module - ``dissect.target.plugins.os.windows.cam.CamPlugin`` * - Output - ``records`` **Module documentation** Plugin that iterates various Capability Access Manager registry key locations. **Function documentation** Iterate Capability Access Manager History entries. The Capability Access Manager keeps track of processes that access I/O devices, like the webcam or microphone. Applications are divided into packaged and non-packaged applications meaning Microsoft or non-Microsoft applications. Additional historical entries are since Windows 11 available in a SQL database. Records are created from the following tables: - NonPackagedUsageHistory - PackagedUsageHistory - NonPackagedIdentityRelationship - NonPackagedGlobalPromptHistory References: - https://medium.com/@cyber.sundae.dfir/capability-access-manager-forensics-in-windows-11-f586ef8aac79 Yields ``CamUsageHistoryRecord``, ``CamIdentityRelationshipHistoryRecord`` or ``CamGlobalPromptHistoryRecord``: Record CamUsageHistoryRecord: .. code-block:: text last_used_time_stop (datetime): When the application last stopped using the capability. last_used_time_start (datetime): When the application last started using the capability. duration (varint): How long the application used the capability. package_type (string): The application type of the record, originates from the table name. capability (string): The capability being used; microphone, camera, location etc. file_id (string): The sha1 hash of the application making use of the capability. file_id_hash (digest): Digest version of the file_id field. access_blocked (string): If capability usage was allowed, 0 = Not blocked and 1 = blocked. program_id (string): Program ID of application, unclear what this value means. package_family_name (string): Package name of application using capability. access_guid (string): Unclear what the value of this is. label (string): Unclear what the value of this is, no joinable table with this ID. app_name (string): Name of the application using capability. binary_full_path (path): Path of the application using capability. service_name (string): Name of the service using capability. Record CamIdentityRelationshipHistoryRecord: .. code-block:: text last_observed_time (datetime): Last time capability was observed. package_type (string): The application type of the record, originates from the table name. file_id (string): The sha1 hash of the application making use of the capability. file_id_hash (digest): Digest version of the file_id field. program_id (string): Program ID of application, unclear what this value means. binary_full_path (path): Path of the application using capability. Record CamGlobalPromptHistoryRecord .. code-block:: text shown_time (datetime): Last time capability was observed. package_type (string): The application type of the record, originates from the table name. capability (string): The capability being used; microphone, camera, location etc. file_id (string): The sha1 hash of the application making use of the capability. file_id_hash (digest): Digest version of the file_id field. program_id (string): Program ID of application, unclear what this value means.