dissect.target.plugins.os.windows.activitiescache#

Module Contents#

Classes#

ActivitiesCachePlugin

Plugin that parses the ActivitiesCache.db on newer Windows 10 machines.

Functions#

mkts

Timestamps inside ActivitiesCache.db are stored in a Unix-like format.

Attributes#

dissect.target.plugins.os.windows.activitiescache.ActivitiesCacheRecord#
class dissect.target.plugins.os.windows.activitiescache.ActivitiesCachePlugin(target)#

Bases: dissect.target.plugin.Plugin

Plugin that parses the ActivitiesCache.db on newer Windows 10 machines.

References

https://www.cclsolutionsgroup.com/resources/technical-papers https://salt4n6.com/2018/05/03/windows-10-timeline-forensic-artefacts/

check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

activitiescache()#

Return ActivitiesCache.db database content.

The Windows Activities Cache database keeps track of activity on a device, such as application and services usage, files opened, and websites browsed. This database file can therefore be used to create a system timeline. It has first been used on Windows 10 1803.

Currently only puts the database records straight into Flow Records. Ideally we do some additional parsing on this later.

References

Yields ActivitiesCacheRecords with the following fields:

hostname (string): The target hostname. domain (string): The target domain. start_time (datetime): StartTime field. end_time (datetime): EndTime field. last_modified_time (datetime): LastModifiedTime field. last_modified_on_client (datetime): LastModifiedOnClient field. original_last_modified_on_client (datetime): OriginalLastModifiedOnClient field. expiration_time (datetime): ExpirationTime field. app_id (string): AppId field, JSON string containing multiple types of app name definitions. enterprise_id (string): EnterpriseId field. app_activity_id (string): AppActivityId field. group_app_activity_id (string): GroupAppActivityId field. group (string): Group field. activity_type (int): ActivityType field. activity_status (int): ActivityStatus field. priority (int): Priority field. match_id (int): MatchId field. etag (int): ETag field. tag (string): Tag field. is_local_only (boolean): IsLocalOnly field. created_in_cloud (datetime): CreatedInCloud field. platform_device_id (string): PlatformDeviceId field. package_id_hash (string): PackageIdHash field. id (bytes): Id field. payload (string): Payload field. JSON string containing payload data, varies per type. original_payload (string): OriginalPayload field. clipboard_payload (string): ClipboardPayload field.

dissect.target.plugins.os.windows.activitiescache.mkts(ts)#

Timestamps inside ActivitiesCache.db are stored in a Unix-like format.

Source: https://salt4n6.com/2018/05/03/windows-10-timeline-forensic-artefacts/