Skip to content
AIR Knowledge Base

Windows Timeline

Overview

Section titled “Overview”

Evidence: Windows Timeline
Description: Collect Windows Timeline
Category: System
Platform: windows
Short Name: tmln
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): Yes

Background

Section titled “Background”

Windows Timeline (ActivitiesCache.db) tracks user activities like app usage and file access. This data is essential for reconstructing user behavior and sequences of actions.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about windows timeline.

Collection Method

Section titled “Collection Method”

This collector copies ActivitiesCache.db from user profiles, queries the Activity table, and records normalized fields into timeline.

Forensic Value

Section titled “Forensic Value”

This evidence is crucial for forensic investigations as it provides rich user activity telemetry for timeline analysis.