Analyzing Microsoft Timeline, OneDrive and Personal Vault Files

Elcomsoft Phone Breaker is a forensic tool that can download data not only from Apple iCloud but also from other cloud services. In this new version, we have added support for even more types of data, including Windows 10 Timeline, Account Activity (logins to the account), OneDrive files, recent OneDrive files history, and files from Microsoft Personal Vault. Learn how to use Elcomsoft Phone Breaker to quickly extract data from the user’s Microsoft Account.


Windows Timeline is a feature that first appeared in the Windows 10 April 2018 Update. The feature enhances Task View, enabling a glance into the past by displaying the user’s historical activities. The Timeline contains timestamped information about the user’s launched applications, searches, documents, and Web browsing history. Along with Windows jumplists, the feature is little known and rarely disabled, giving a valuable insight into the history of system’s usage.

If the user signs into their Microsoft account, Windows synchronizes the Timeline across devices. This is where we extract it from: Elcomsoft Phone Breaker 9.70 downloads the data, and Elcomsoft Phone Viewer 5.30 displays its content in a convenient layout.

By analyzing the Timeline data, experts can access to timestamped information about the app usage and Web page visits.

In addition to the Timeline, the tool extracts Account Activities detailing the user’s sign-ins to their Microsoft account.


OneDrive needs no introduction, but the Personal Vault feature is still relatively unknown. According to Microsoft, “Personal Vault is a protected area in OneDrive that you can only access with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS. Your locked files in Personal Vault have an extra layer of security, keeping them more secured in the event that someone gains access to your account or your device.”

When accessing Personal Vault, one would typically need to pass through all authentication steps: the login and password, and the second authentication step. For most tools, that would mean either no Vault extraction at all or a second, duplicate authentication effort. The newest update to Elcomsoft Phone Breaker can extract files from the user’s Personal Vault without the need to perform an additional (double) authentication.


Extracting OneDrive, Personal Vault and Timeline data with Elcomsoft Phone Breaker is straightforward.

1. Install the latest version of the tool (EPB 9.70 or newer required).
2. Select “Download data from Microsoft account”
3. Authenticate into the user’s Microsoft account with login, password, and two-factor authentication.
4. Choose categories (e.g. OneDrive, Personal Vault, and Timeline).
5. Click Continue. The data will be downloaded.

To analyze, follow these steps.

1. Install and launch the latest version of Elcomsoft Phone Viewer (version 5.30 or newer).
2. Select “Microsoft account data”
3. Specify data types for parsing
4. Start analyzing specified data types


Now supporting the widest range of data in multiple cloud services, Elcomsoft Phone Breaker becomes truly indispensable for cloud analysis. The updates are free of charge to existing users with currently valid licenses. Visit to download it today and gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud, Windows Phone and BlackBerry 10 devices!

Author: Web Spangle

Leave a Reply

Your email address will not be published. Required fields are marked *