Daily Blog #691: Solution Saturday 5/2/20 - Magnet DFIR CTF Winner

Magnet DFIR CTF Winner

Hello Reader,
       This week an previous winner stepped up the challenge. Not only have they won a Sunday Funday before but they are also a Magnet DFIR CTF winner! This week Kevin Pagano stepped up and brought in the win with a good bit of research!

The Question:
Windows Timeline is an amazing source of user data, however like all things it has limitations. Answer the following questions:
1. How long before an action is taken before it is committed to the Windows Timeline database
2. What process and/or service creates the events
3. What call do developers need to make to support it
4. What is excluded?
5. When do events get removed?

The Winning Answer:
Kevin Pagano 


Windows Timeline is an amazing source of user data, however like all things it has limitations. Answer the following questions:

1. How long before an action is taken before it is committed to the Windows Timeline database

Almost instantly it seems, when running KAPE to test parsing the DB file, it actually wrote the kape.exe as the latest interaction.

2. What process and/or service creates the events

SVCHOST populates events into the ActivitiesCache database files. We can see a bunch of locks/unlocks through ProcMon:



3. What call do developers need to make to support it
Microsoft breaks this down in pretty good detail:


It uses the UserActivity API class object pulling in ActivityID, ActivationUri, and DisplayText as the minimum set. They also show all the code that is needed to add activities and adaptive cards to the Timeline. I am in no way a developer so this is all Greek to me.

4. What is excluded?

Applications that have activities that don't support using the API above won't be included from the GUI but they are still written to the DB file. 

5. When do events get removed?  
From Microsoft's site, items will be stored for up to 30 days (https://support.microsoft.com/en-us/help/4230676/windows-10-get-help-with-timeline), where after I assume they are deleted out of the database. There may be potential events you can recover from SQL slack. The user can also remove items as they see fit but they might not be purged until the Expiration Time is up for each entry.

Parsing using Eric Zimmerman's WxTCmd, we can see this is true.


Also Read: Daily Blog #690 



Post a Comment