Releases: kacos2000/WindowsTimeline
Releases · kacos2000/WindowsTimeline
WindowsTimeline parser (x64)
Changed base query to 'SmartlookupView'
Added support for ActivityType 3
Added cell tooltips/popups
Other minor updates/fixes
Signed
WindowsTimeline parser (x64)
Works with any ActivitiesCache.db (Windows 1803/1809/1903/1909 ..)
- Decodes Clipboard Text
- Matches ActivitiesCache.db PlatformDeviceId's with device information (DeviceType, Name,Make,Model) from the registry (HKCU or NTuser.dat) at "\Software\Microsoft\Windows\CurrentVersion\TaskFlow\DeviceCache"
- Shows all the important information from JSON blobs ..
- Optionally exports output to "|" delimited .csv in a timestamped folder in the form of "WindowsTimeline_dd-MMM-yyyyTHH-mm-ss".
- Added '.CDP' file viewer.
Parses:
- Standalone ActivitiesCache.db
- CurrentUser's selected ActivitiesCache.db with matching registry (HKCU) device entries
- Standalone ActivitiesCache.db with offline NTUser.dat device entries
- Reads CDP files from the Parent 'ConnectedDevicesPlatform' folder
Note1: Requires "System.Data.SQLite". If not available, it will download and install automatically.
Note2: Runs on Windows 10 x64