Skip to content

WindowsTimeline parser (x64)
Compare
Choose a tag to compare
@kacos2000 kacos2000 released this 16 Aug 14:51
· 24 commits to master since this release
v.2.0.79.0
ede9359
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.
  • Noticeable speed improvement in data display/scrolling
  • Added option to show a (sort-able) Application Execution list ('ActivityType' 5 entries) window,
    with just the following fields (inspired by @keydet89's blog post):
    • StartTime
    • Application
    • Description (file/url opened)
    • Name (Device Name from NTUser.dat) if available
    • DeviceType (from NTUser.dat) if available
  • Save dialog now shows a confirmation popup that # files were saved.
    Saved output includes:
    • ApplicationExecutionTimeline.csv ('ActivityType' 5 entries list) if available
    • ClipboardHistory.csv ('ActivityType' 10 - clipboard text list) if available
    • DatabaseActivityPolicies.json (contents of the 'DatabaseActivityPolicies' field of the 'Metadata' table) if available
    • Device_info.txt (info on known device types)
    • File_Info.csv (OS info & MD5 hash of the ActivitiesCache... files)
    • Registry_devices.csv (Devices listed in NTUser.dat/HKLU) if available
    • WindowsTimeline.csv (the full parsed data from ActivitiesCache.db)
  • Note: ClipboardHistory text carver has a separate save dialog option.

Note: Above 'availability' depends on the dB/registry entries

Assets 3
Loading