This artifact will show the Clipboard activity.
The artefact ActivitiesCache.db has started to log clipboard activity since Windows 10 version 1803.
The prerequisite for clipboard data to be logged by this artefact relies on the system having two settings checked: Clipboard history enabled Clipboard sync across devices
StartTime (epoch time) – When the data was first copied to the clipboard
ExpirationTime (epoch time) – When the data will be deleted from the ActivitiesCache.db (roughly 12 hours)
ClipboardPayload – Base64 encoded string of the clipboard contents, but here it is decoded, and the clipboard content is shown
Payload – This field tells you where the clipboard data was copied from!
ActivityType – Type 10 means data resides in clipboard, Type 16 shows if data was copied or pasted
name: Windows.Forensics.Clipboard
author: Hisham Adwan with the help of Velo Community
description: |
This artifact will show the Clipboard activity.
The artefact ActivitiesCache.db has started to log clipboard activity since Windows 10 version 1803.
The prerequisite for clipboard data to be logged by this artefact relies on the system having two settings checked:
Clipboard history enabled
Clipboard sync across devices
StartTime (epoch time) – When the data was first copied to the clipboard
ExpirationTime (epoch time) – When the data will be deleted from the ActivitiesCache.db (roughly 12 hours)
ClipboardPayload – Base64 encoded string of the clipboard contents, but here it is decoded, and the clipboard content is shown
Payload – This field tells you where the clipboard data was copied from!
ActivityType – Type 10 means data resides in clipboard, Type 16 shows if data was copied or pasted
reference:
- https://www.youtube.com/watch?v=6Q3vEO69AkQ&ab_channel=JohnHammond
- https://www.inversecos.com/2022/05/how-to-perform-clipboard-forensics.html
parameters:
- name: FileGlob
default: C:\Users\*\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT
CreatedTime,
LastModifiedTime,
LastModifiedOnClient,
StartTime,
EndTime,
Payload,
split(sep='''\\''', string=dirname(path=OSPath))[2] AS User,
base64decode(string=parse_json_array(data=ClipboardPayload)[0].content) AS ClipboardPayload,
OSPath AS Path,
Mtime
FROM foreach(row={
SELECT Mtime, OSPath from glob(globs=FileGlob)}, query={
SELECT *, Mtime, OSPath FROM sqlite(file=OSPath, query="SELECT * FROM ActivityOperation")})