Windows 10 now includes a feature called Timeline that allows you to easily view recent activity carried out, such as documents and web pages that have been opened. Currently only web pages that are viewed using the Edge browser are visible within Timeline.
By default activity records remain in Timeline for 30 days. Interestingly, our testing has shown that browser activity remains in Timeline even when the Edge browser history has been cleared. Therefore, Timeline could be a useful source of data for browser forensics, as it can potentially provide easy access to deleted browser history.
Timeline data is stored within a SQLite database at the following location:
Web pages viewed in Edge are stored within the “Activity” table. Here we can find the URL, page title and date the page was viewed.
The URL and page title are stored within the “Payload” column, which contains JSON stored as binary data. The URL is found at the “contentUri” property, and the page title is found at the “displayText” property. The page viewed date is stored within the “StartTime” column as a Unix timestamp (number of seconds since 01/01/1970 00:00:00)
It is worth noting that during our testing we observed that the StartTime value was generally a couple of seconds later than the corresponding timestamp stored in the Edge browser history. Therefore, we assume this represents when the record is stored in Timeline, not when it was stored in Edge.
We have updated Browser History Capturer (BHC) and Browser History Examiner (BHE) to take advantage of this extra source of Edge history data. Therefore you can now do the following:
- Run BHC on a local machine to capture the Timeline database
- Use BHE to capture the Timeline database from a remote Windows PC. See the following blog post for more details on this functionality:
- Use BHC or BHE to capture older versions of the Timeline database stored within System Restore points. See the following blog post for more details on this functionality:
- Use BHE to extract Edge browser history from the Timeline database. BHE offers the option to automatically hide duplicate records which are present in both Edge and Timeline databases.
To try this out for yourself visit our Downloads page for a free trial of Browser History Examiner.