Skip to content
Parse Windows ActivitiesCache to JSONL
Python
Branch: master
Clone or download
Latest commit fc78c2b Sep 10, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
scripts
winactivities
.gitignore initial commit Sep 10, 2018
LICENSE
README.md updated readme Sep 10, 2018
setup.py initial commit Sep 10, 2018

README.md

ActivitiesCacheParser

Parse Windows ActivitiesCache to JSONL or formatted output.

Usage

usage: winactivities2json.py [-h] -s SOURCE [-t TEMP_DIR]
                             [--sequence SEQUENCE] [-o OUTPUT_TEMPLATE]
                             [--dump_db] [--debug {ERROR,WARN,INFO,DEBUG}]

Interface to parse Windows Timeline - ActivitiesCache.db.
Run this tool on the database file, or on a logical volume to process records for all users.

(default location - \Users\%USERNAME%\AppData\Local\ConnectedDevicesPlatform\L.%USERNAME%)

version: 0.0.1

optional arguments:
  -h, --help            show this help message and exit
  -s SOURCE, --source SOURCE
                        The activities database or a logical volume (logical
                        volume: \\.\C:).
  -t TEMP_DIR, --temp_dir TEMP_DIR
                        The template directory for extractions if source is a
                        logical volume.
  --sequence SEQUENCE   Only display sequences above this value. (default: 0)
  -o OUTPUT_TEMPLATE, --output_template OUTPUT_TEMPLATE
                        Output template format.
  --dump_db             Dump the entire ActivitiesCache.db database, not just
                        the Activity table.
  --debug {ERROR,WARN,INFO,DEBUG}
                        Debug level [default=ERROR]

Formatted Output

An output template allows you to customize the output instead of the default JSONL format.

By default, no template will cause the tool to output as jsonl format. The template is really just a custom formatted string.

Given the following record (formatted with indention for better readability):

{
  "_rowid": 115,
  "Id": "c6fbf27c49fb82315155669f8329c995",
  "AppId": [{
      "application": "{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\WindowsPowerShell\\v1.0\\powershell.exe",
      "platform": "windows_win32"
    }, {
      "application": "{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\\WindowsPowerShell\\v1.0\\powershell.exe",
      "platform": "packageId"
    }, {
      "application": "",
      "platform": "alternateId"
    }, {
      "application": "",
      "platform": "windows_universal"
    }
  ],
  "PackageIdHash": "k6rI3Te3bxJRvjak0sx3vVZjSTM2c6pZ22Lb+ebZW6A=",
  "AppActivityId": "ECB32AF3-1440-4086-94E3-5311F97F89C4",
  "ActivityType": 6,
  "ActivityStatus": 1,
  "ParentActivityId": "00000000000000000000000000000000",
  "Tag": null,
  "Group": null,
  "MatchId": null,
  "LastModifiedTime": "2018-07-13 17:03:54",
  "ExpirationTime": "2018-08-12 17:03:54",
  "Payload": {
    "type": "UserEngaged",
    "reportingApp": "ShellActivityMonitor",
    "activeDurationSeconds": 142,
    "shellContentDescription": {
      "MergedGap": 600
    },
    "userTimezone": "America\/Los_Angeles"
  },
  "Priority": 3,
  "IsLocalOnly": 0,
  "PlatformDeviceId": "zdb2vOpgPSkxd2PLwsayEmxe1DNFt6GOtaz+2ENpgLU=",
  "CreatedInCloud": 0,
  "StartTime": "2018-07-13 17:01:36",
  "EndTime": "2018-07-13 17:13:28",
  "LastModifiedOnClient": "2018-07-13 17:13:28",
  "GroupAppActivityId": "",
  "ClipboardPayload": null,
  "EnterpriseId": "",
  "OriginalPayload": null,
  "OriginalLastModifiedOnClient": null,
  "ETag": 687,
  "_user": "mpowers",
  "_cpd_location": "L.mpowers"
}

We could pass in a template of -o "{StartTime} - {AppId[0][application]}" that would result in the following output:

2018-07-13 17:01:36 - {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe

Example 1

Using the format template, we want to easily see what activity is recorded for which users having to do with cmd.exe. We can grep our data for faster identification.

winactivities2json.py -s \\.\H: -t D:\Testing\activities --debug ERROR -o "{_user}: {StartTime} - {AppId[0][application]}" | rg cmd.exe
Administrator: 2018-08-07 19:29:59 - {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe
Administrator: 2018-08-07 19:29:59 - {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe
mpowers: 2018-07-23 13:30:04 - {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe
mpowers: 2018-07-16 17:30:53 - {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe
mpowers: 2018-07-12 21:26:43 - {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe
mpowers: 2018-07-12 21:26:43 - {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe

TODO Docs

Examples and descriptions of:

  • --sequence
  • --dump_db
You can’t perform that action at this time.