timeline-activities

Parses the ActivitiesCache.db file from Windows 10 to retrieve Timeline activity history. This file contains activity records such as programs executed by the user, documents opened, and web pages visited.

Command properties

PropertyDescription
Command typeDriver query
Required permissionNone
License usageCounted
Parallel executionNot supported
Distributed executionRuns on Data Node (mapper)

Syntax

timeline-activities FILE_PATH

Target

FILE_PATH
Path to the ActivitiesCache.db file to query. On Windows 10, this file is located inside the C:\Users\<username>\AppData\Local\ConnectedDevicesPlatform directory.

Output fields

FieldTypeDescription
idbinaryUnique activity identifier
executablestringExecutable file path. Extracted from the first element of the AppId JSON array (e.g., {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe)
activity_typestringActivity type. ExecuteOpen (5): program execution, InFocus (6): focus activation, CopyPaste (16): clipboard copy/paste
payload_app_display_namestringApp display name (e.g., Command Prompt)
payload_display_textstringActivity display text
payload_descriptionstringActivity description
payload_active_durationintegerActive duration (seconds)
start_timetimestampActivity start time
end_timetimestampActivity end time. Returns null if the activity has not ended.
last_modified_timetimestampLast modified time
last_modified_on_clienttimestampLast modified time on the client
expiration_timetimestampExpiration time
priorityintegerPriority
activity_statusintegerActivity status
user_action_stateintegerUser action state
created_in_cloudintegerWhether the activity was created in the cloud
is_readintegerWhether the activity has been read
is_local_onlyintegerWhether the activity is local-only
etagintegerETag value
group_app_activity_idstringGroup app activity identifier
app_activity_idstringApp activity identifier
parent_activity_idbinaryParent activity identifier
package_id_hashstringPackage ID hash
platform_device_idstringPlatform device identifier
payload_activation_uristringActivation URI
payload_background_colorstringBackground color
payload_content_uristringContent URI
payload_typestringPayload type
payload_user_timezonestringUser time zone
payload_reporting_appstringReporting app
clipboard_payloadstringClipboard payload
tagstringTag

Error codes

Parsing errors

N/A

Runtime errors

N/A

Description

The timeline-activities command opens the specified ActivitiesCache.db file as a SQLite database and retrieves records from the Activity table. The Windows 10 Timeline records activities performed by the user, such as program execution, document opening, and web browsing.

The AppId column is stored in JSON array format. The command extracts the executable file path from the application field of the first element and assigns it to the executable field. The ActivityType column's integer values are converted to meaningful strings. The Payload column is stored in JSON format, and details such as app display name, display text, and active duration are separated into individual fields.

Date fields are converted from Unix timestamps (in seconds) to timestamp type. If end_time is 0, null is assigned.

This command does not support querying files inside a ZIP archive.

Examples

  1. Query an ActivitiesCache.db file

    timeline-activities /opt/logpresso/evidence/ActivitiesCache.db

    Retrieves all Timeline activities from the ActivitiesCache.db file at the specified path.

  2. Filter program execution history

    timeline-activities /opt/logpresso/evidence/ActivitiesCache.db
| search activity_type == "ExecuteOpen"

    Filters for activities of the program execution (ExecuteOpen) type only.

  3. Retrieve activities for a specific period

    timeline-activities /opt/logpresso/evidence/ActivitiesCache.db
| search start_time >= date("2025-01-01", "yyyy-MM-dd")
| sort start_time

    Retrieves activities that occurred on or after January 1, 2025, sorted by start time.