ActivitiesCache Autopsy Plugin
The ActivitiesCache.db was introduced in Windows 10 version 1803. You can read more details about the database here and here. Eric Zimmerman has also introduced a standalone tool to also parse this database and you can read about that here. Now Autopsy has the ability to parse this database for each user and display the information contained in it.
What the plugin does is it will search for each user and export their ActivitiesCache.db along with the associated wal file and then pull the contents out and display them in Autopsy. The content will be display in “Activities Cache Timeline DB” in the Extracted Content area.
When the ActivitiesCache.db file for each user the records will be displayed in the table view for each user. You can see this below.
For each record you will be able to see the following information.
As you can see from the above record two (2) fields are in a JSONformat. Instead of parsing out the information in the JSON format I decided to keep it all and let you look to see what was important in those fields. You can see there are also lots of great timestamp information as well.
The plugin can be found here. If there are any questions or issues or comments please let me know. Enjoy!
