With the release of Windows 10 version 1803, came an exciting new forensics artifact: The Activity Timeline. The Activity Timeline is designed to remind users what they were up to in the recent past and help them pick up those activities right where they left off - even across multiple devices. In order to accomplish this feat, Windows stores a wealth of forensic goodness in a per-user SQLite databases. Among the items tracked in the new Activity Timeline are when users open and close apps, actual engagement times, and the files the user was interacting with through the app. These key items tracked are of significant value to forensics practitioners and can make or break a case. To learn more about BlackBag, visit www.blackbagtech.com.