Extracting Digital Artefacts from Windows 10Timeline Activities Cache Database.pdf

As end users experiencing wide prevalence in Operating Systems, the regular way of dealing with an Operating System as an evidence source is becoming time consuming and needs a lot of artefacts list and cheat sheets to look at in order to get the admissible evidences. Digital investigators used to review Windows Events log in order to extract evidences from, but the problem with Events Logger is, with the long usage of the Operating System, the events log file becomes insanely large. This means it requires more time to investigate and parse.

Windows 10 introduces a new feature called Windows Time Line where it shows the activities of the user for the last 30 days. The presence of this feature facilities the work for investigators to extract the artefacts and track the actions conducted by the O.S user.

This research presents a way of understanding the extraction of the activities conducted by O.S user and compares the results with commercial tools.