Project aims to map out common user behavior on the computer. Most of the code is based on the research by kacos2000 found here: https://github.com/kacos2000/WindowsTimeline
TrustedSec blog about the research behind it: https://www.trustedsec.com/blog/oh-behave-figuring-out-user-behavior/
- git clone the repo
- pip3 install -r requirements.txt
To make use of this project you first need to copy out the ActivityCache.db file found on the users computer under:
C:\Users\%username%\AppData\Local\ConnectedDevicesPlatform\<GUID>
To parse an ActivityCache.db file specify the path with the -f parameter. If you only want the main exported data (one csv) you can specify -m. Output folder is specified with the -o parameter. Folder will be created if it does not exist. If no output folder is specified the output goes in the current working directory.
python3 UserBehaviourAnalyzer.py -f /mnt/c/ads/ActivitiesCache.db
Succesfully exported full raw database report
Report gen_report_useractivity_start_and_end.csv Generated successfully
Report gen_report_ApplicationLaunch_StartTime.csv Generated successfully
Paths_Unique.txt Generated successfully
Report gen_report_Activity_Applications.csv Generated successfully
Chart gen_fig_useractivity_heatmap.jpg Generated successfully
/mnt/c/gitlab/user-behavior/1. Extraction Script/UserBehaviorAnalyzer.py:565: UserWarning: FixedFormatter should only be used together with FixedLocator
ax1.set_xticklabels(df1['Date'], rotation=90)
Chart gen_fig_useractivity_bar.jpg Generated successfully
Chart gen_fig_top10_apps_pie.jpg Generated successfully
Chart gen_fig_top10_apps_bars.jpg Generated successfully
This report contains the total of time the different application has been actively used based on all the data found in the database.
This reports shows the applications that are launched and parameters used (also filenames sometimes) and when it was launched. This is useful for understanding when the user starts his applications.
This report groups all times for each day and finds the first entry of the day and the last. This report is useful for understanding when the user starts his day and when the last application was launched.
This shows the top 10 most used application visualized with Bars. Usage is in seconds.
This shows the top 10 most used application visualized as a pie chart. Usage is in seconds.
This visualizes when the user is active and idle based on the first activity found per day and the last activity found per day. The y axis shows the time of day. The time is based on the timezone of the user ex 500 = 0500 (5am) ex 2000 (8pm)
This visualized the users activity sorted on days. The brighter color the more activity. The time is based on the timezone of the user
This file contains unique paths the for documents/files/folders the user works towards. Perfect targets for backdoors.
If you do encounter issues please create a github issue. You might need to provide the ActivitiesCache.db since it could be a case that has not been encountered.