A Forensic Exploration of the Microsoft Windows 10 Timeline

Graeme Horsman, Alex Caithness, Costas Katsavounidis

    Research output: Contribution to journalArticlepeer-review


    The Microsoft Windows operating system continues to dominate the desktop computing market. With such high levels of usage comes an inferred likelihood of digital forensic practitioners encountering this platform during their investigations. As part of any forensic examination of a digital device, operating system artifacts, which support the identification and understanding of how a user has behaved on their system provide a potential source of evidence. Now, following Microsoft's April 2018 build 1803 release with its incorporated "Timeline" feature, the potential for identifying and tracking user activity has increased. This work provides a timely examination of the Windows 10 Timeline feature demonstrating the ability to recover activity-based content from within its stored database log files. Examination results and underpinning experimental methodologies are offered, demonstrating the ability to recover activity tile and process information in conjunction with the Windows Timeline. Further, an SQL query has been provided to support the interpretation of data stored within the ActivitiesCache.db.

    Original languageEnglish
    JournalJournal of Forensic Sciences
    Publication statusPublished - 28 Jul 2018


    Dive into the research topics of 'A Forensic Exploration of the Microsoft Windows 10 Timeline'. Together they form a unique fingerprint.

    Cite this