activitiescache¶
$ target-query <path/to/target> -f activitiescache
Module |
|
Output |
|
Module documentation
Plugin that parses the ActivitiesCache.db on newer Windows 10 machines.
- References:
Function documentation
Return ActivitiesCache.db database content.
The Windows Activities Cache database keeps track of activity on a device, such as application and services usage, files opened, and websites browsed. This database file can therefore be used to create a system timeline. It has first been used on Windows 10 1803.
Currently only puts the database records straight into Flow Records. Ideally we do some additional parsing on this later.
- References:
Yields ActivitiesCacheRecords with the following fields:
hostname (string): The target hostname.
domain (string): The target domain.
start_time (datetime): StartTime field.
end_time (datetime): EndTime field.
last_modified_time (datetime): LastModifiedTime field.
last_modified_on_client (datetime): LastModifiedOnClient field.
original_last_modified_on_client (datetime): OriginalLastModifiedOnClient field.
expiration_time (datetime): ExpirationTime field.
app_id (string): AppId field, JSON string containing multiple types of app name definitions.
enterprise_id (string): EnterpriseId field.
app_activity_id (string): AppActivityId field.
group_app_activity_id (string): GroupAppActivityId field.
group (string): Group field.
activity_type (int): ActivityType field.
activity_status (int): ActivityStatus field.
priority (int): Priority field.
match_id (int): MatchId field.
etag (int): ETag field.
tag (string): Tag field.
is_local_only (boolean): IsLocalOnly field.
created_in_cloud (datetime): CreatedInCloud field.
platform_device_id (string): PlatformDeviceId field.
package_id_hash (string): PackageIdHash field.
id (bytes): Id field.
payload (string): Payload field. JSON string containing payload data, varies per type.
original_payload (string): OriginalPayload field.
clipboard_payload (string): ClipboardPayload field.