The Windows Timeline relies on the Connected Devices Platform Service (CDPSvc). This service continuously monitors user interactions with the GUI, applications, and browsers (specifically Microsoft Edge), logging these interactions locally before optionally syncing them to the Microsoft Cloud (if connected to an MSA or Azure AD account).
Because the database tracks human interaction, it is stored deep within the user’s specific profile.
C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform\L.<username>\ActivitiesCache.dbActivitiesCache.db-wal and ActivitiesCache.db-shm) to ensure recently cached activities that haven’t been committed to the main database are successfully parsed.Opening the database in a viewer like DB Browser for SQLite reveals several tables. DFIR analysts must focus on bridging the data between the Activity and Activity_PackageId tables.
Activity Table
The core table containing every logged action.
Id: A unique GUID for the activity.AppId: Identifies the application used (links to the Activity_PackageId table).Payload: A massive JSON blob (often containing Base64 strings) with exact metadata about the file opened or URL visited.StartTime & EndTime: Epoch timestamps defining the exact duration of the interaction.Activity_PackageId Table
Acts as a lookup table. It translates the abstract AppId found in the Activity table into the actual executable path or UWP app name (e.g., C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE).
Recent research by Cellebrite has highlighted two critical components of ActivitiesCache.db that elevate it above standard execution artifacts.
PlatformDeviceId)If the compromised user is logged into a Microsoft Account (MSA), Windows syncs their timeline across all their devices.
Activity table includes a PlatformDeviceId field. If an attacker compromises an employee’s MSA credentials and logs in from an external, unauthorized machine, the attacker’s actions (files opened, tools run) on their machine might be synced down to the victim’s local ActivitiesCache.db. Analysts can differentiate local versus remote attacker activity by comparing the PlatformDeviceId strings.Windows 10/11 features a “Cloud Clipboard” (Win+V). If enabled, copied text is tracked by the CDPSvc.
ActivityOperation table or within specific Payload JSON blobs, analysts can find Base64-encoded strings labeled ClipboardPayload. Decoding this string can reveal exactly what the attacker copy-pasted during their session—exposing stolen passwords, cryptocurrency wallet addresses, or malicious PowerShell one-liners executed in the terminal.The Timeline database provides the “missing link” in complex investigations.
.exe executing at 14:05, the Timeline can show the user opening Microsoft Edge at 14:02, visiting a specific Dropbox URL, and downloading a .zip archive at 14:04. The entire attack vector is mapped in one artifact.ActivitiesCache.db for that specific administrator account.Because the Payload field contains nested JSON and Base64 encoded strings, manually reviewing the SQLite database via SQL queries is inefficient during a rapid triage. DFIR teams rely on automated parsing tools.
:: WxTCmd (Windows Timeline Command Line) parses the main DB and WAL files,:: decodes the JSON payloads, and outputs chronologically sorted CSVs.
WxTCmd.exe -f "C:\Forensics\Export\ActivitiesCache.db" --csv "C:\Forensics\Results"-- A basic SQLite query to manually extract the timeline if parsing tools failSELECT datetime(Activity.StartTime, 'unixepoch') AS StartTime_UTC, Activity_PackageId.PackageName AS Application, Activity.AppActivityId AS Target_File_or_URL, Activity.PayloadFROM ActivityLEFT JOIN Activity_PackageId ON Activity.AppId = Activity_PackageId.ActivityIdORDER BY StartTime_UTC DESC;