WindowsTimeline

[Update Log]

• New Digital Signature
• Updated package

MD5: 8551BD916973919503978168147CD4AB
SHA256: DC57AB744335A3F4EE0B499BDFF72F5D4B31D2D1C3979C3BBF4A7EAE82456576

Update :

• New Digital Signature
• Updated package

MD5: F5416897612BFD3CEEC13808FE524E20
SHA256: 87AF5824E86C20F13E6D45595E98801A63D2FF9AF4DED011066DF754652F5780

[Update Log]

• Small Improvement when loading large nr of entries
• Added audible (beep) tone for when the file is blank or not sqlite3/wal

[Change Log]

• New name for 'WindowsTimeline Clipboard Text Carver'
• Still a x64 application
• Added notify icon with context strip menu (right click menu)
• Changed icons

Update :
- Minor GUI fixes (e.g. dpi scaling)
- Some other minor fixes/updates

- Retrieves (carves) current & deleted Clipboard text entries from an ActivitiesCache db or db-wal file.
- Displays offset of entry in the file & decoded text
- Allows Copy of a selection or all of the results
- Allows export to "|" separated CSV

          Example:
           - WindowsTimeline.exe: 15 clipboard text entries (SQLite query)
           - ClipboardTextEntries.exe: 224 from the db & 19 from the db-wal

Update :
- Minor GUI fixes (e.g. dpi scaling)

Note: Duplicate entries could indicate that the clipboard text was in both 'Payload' & 'ClipboardPayload' fields.
Typically this occurs in synced entries, but this is not confirmed 100%.

  * Added Search option in Clipboard Text carver window to search the 'Copied Text' entries
  * Added Search option in Application Execution list window to search both 'Application' & 'Description' entries

Update :
- Added the option to search copied text items via a Search box:

• Noticeable speed improvement in data display/scrolling
• Added option to show a (sort-able) Application Execution list ('ActivityType' 5 entries) window,
  with just the following fields (inspired by @keydet89's blog post):
  • StartTime
  • Application
  • Description (file/url opened)
  • Name (Device Name from NTUser.dat) if available
  • DeviceType (from NTUser.dat) if available
• Save dialog now shows a confirmation popup that # files were saved.
  Saved output includes:
  • ApplicationExecutionTimeline.csv ('ActivityType' 5 entries list) if available
  • ClipboardHistory.csv ('ActivityType' 10 - clipboard text list) if available
  • DatabaseActivityPolicies.json (contents of the 'DatabaseActivityPolicies' field of the 'Metadata' table) if available
  • Device_info.txt (info on known device types)
  • File_Info.csv (OS info & MD5 hash of the ActivitiesCache... files)
  • Registry_devices.csv (Devices listed in NTUser.dat/HKLU) if available
  • WindowsTimeline.csv (the full parsed data from ActivitiesCache.db)
• Note: ClipboardHistory text carver has a separate save dialog option.

Note: Above 'availability' depends on the dB/registry entries

• Small GUI changes
• Now if there is a Timezone entry, the StartTime of that entry is checked against that Timezone's DST settings.
  If the StartTime is in Daylight Saving Time, the DST time difference (delta) is displayed in the 'DaylightOffset' column i.e. DST (+01:00)
• Experimental interpretation of 'IsRead' & 'UserActionState' fields (very limited data for testing)

• Added Hex Offset in the Clipboard text carver
• Added column with Clipboard Type info (in anticipation of upcoming Clipboard change)
• Updated estimation of Win10 version identification (based on the dB)
• Changed 1703/1709 queries to show more data
  (Win10 v1709 and earlier have the following line in the Smartlookup View query preventing display of deleted entries:)
  LEFT OUTER JOIN Activity ON ActivityOperation.Id = Activity.Id WHERE [O].[OperationType] <> 3

• Changed the queries so that all timestamps are (as they should be) in UTC
• Updated IANA/OLSON TimeZone support (does not account for Daylight savings)
• Included 'Clipboard Text Carver' option

NOTE: In previous 'WindowsTimeline parser' versions timestamps are in examiner's Local Time

Update :
- Added tooltips
- Changed Base64 conversion from ASCII to UTF8.

- Retrieves (carves) current & deleted Clipboard text entries from an ActivitiesCache db or db-wal file.
- Displays offset of entry in the file & decoded text
- Allows Copy of a selection or all of the results
- Allows export to "|" separated CSV

          Example:
           - WindowsTimeline.exe: 15 clipboard text entries (SQLite query)
           - ClipboardTextEntries.exe: 224 from the db & 19 from the db-wal

• Minor GUI scaling & file output fixes

• Quite a few updates/improvements, plus:

  • Show estimation of originating Win10 version in the status bar while processing
  • Added GMT representation of the Timezone (based on Olson/IANA lists) (does not account for Daylight savings)
  • Added option to view Clipboard history (if available) in a separate window
  • Added option to export Clipboard history (if available) separately in a CSV

• Added support for all ActivitiesCache.dbs (from 1709-2004+)
  done limited testing on 1709 dbs due to the scarcity of them
• Added some column info tooltips
• Many small improvements

• Minor fix

• Added support for 'ActivityEngagementFlags' in ActivityType 6 entries (Win10 v.2004+)
• Fixed error not displaying ParentActivityId

Added support for Device Type 16 (Windows 10 Tablet PC)
Added option to view All the Devices in the selected NTUser.dat in a popup
Added some coloring to ease viewing large dB sets

Note:
If you need/want to manually download "System.Data.SQLite"
the location of the downloads is https://system.data.sqlite.org/index.html/doc/trunk/www/downloads.wiki
WindowsTimeline.exe looks for this file:
"C:\Program Files\System.Data.SQLite\2010\bin\System.Data.SQLite.dll"