How to Perform Clipboard Forensics: ActivitiesCache.db, Memory Forensics and Clipboard History
During a compromise, threat actors often copy-paste data to the clipboard – usually credentials, PowerShell commands or IPs. When it comes to malware, infostealers, RATs and keyloggers often monitor what is being stored in the clipboard (as it may contain cryptocurrency seed phrases, passwords, and interesting data). Incident response analysts also rarely perform forensic examination of clipboard data due to the transient nature of the data residing in volatile memory and setting prerequisites. However, with the advent of the latest Windows updates, depending on how the system is configured – historical clipboard data may be stored on the system for analysis. This should be considered the next time an analyst is performing forensic analysis of a system. Forensic considerations when analysing clipboard data: What time did the threat actor copy data to the clipboard? Where did the threat actor copy data to the clipboard from? Was the data ever pasted (on the same system) or just copi