$ target-query <path/to/target> -f activitiescache




Module documentation

Plugin that parses the ActivitiesCache.db on newer Windows 10 machines.


Function documentation

Return ActivitiesCache.db database content.

The Windows Activities Cache database keeps track of activity on a device, such as application and services usage, files opened, and websites browsed. This database file can therefore be used to create a system timeline. It has first been used on Windows 10 1803.

Currently only puts the database records straight into Flow Records. Ideally we do some additional parsing on this later.

Yields ActivitiesCacheRecords with the following fields:

hostname (string): The target hostname. domain (string): The target domain. start_time (datetime): StartTime field. end_time (datetime): EndTime field. last_modified_time (datetime): LastModifiedTime field. last_modified_on_client (datetime): LastModifiedOnClient field. original_last_modified_on_client (datetime): OriginalLastModifiedOnClient field. expiration_time (datetime): ExpirationTime field. app_id (string): AppId field, JSON string containing multiple types of app name definitions. enterprise_id (string): EnterpriseId field. app_activity_id (string): AppActivityId field. group_app_activity_id (string): GroupAppActivityId field. group (string): Group field. activity_type (int): ActivityType field. activity_status (int): ActivityStatus field. priority (int): Priority field. match_id (int): MatchId field. etag (int): ETag field. tag (string): Tag field. is_local_only (boolean): IsLocalOnly field. created_in_cloud (datetime): CreatedInCloud field. platform_device_id (string): PlatformDeviceId field. package_id_hash (string): PackageIdHash field. id (bytes): Id field. payload (string): Payload field. JSON string containing payload data, varies per type. original_payload (string): OriginalPayload field. clipboard_payload (string): ClipboardPayload field.