ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT090
  • Created: 26th July 2024
  • Updated: 26th July 2024
  • Platform: Windows
  • Contributor: The ITM Team

Clipboard Payloads via ActivitiesCache.db

This artifact is only generated where both “Clipboard History” and “Clipboard history across your devices” is enabled within the Windows system settings for clipboard.

 

ActivitiesCache.db is associated with the Windows Timeline feature, which was introduced in Windows 10, allowing users to keep track of their activities across different devices and sessions.

 

This artifact is located in:

C:\Users\Username\%AppData%\Local\ConnectedDevicesPlatform\<UserProfile>\
 

This .db file can be opened using appropriate software, such as DB Browser for SQLite. The ActivityOperations table is of interest, with the following notable fields:

 

  • StartTime (epoch time) – When the data was first copied to the clipboard 
  • ExpirationTime (epoch time) – When the data will be deleted from the ActivitiesCache.db (roughly 12 hours) 
  • ClipboardPayload – Base64 encoded string of the clipboard contents  
  • Payload – This field tells you where the clipboard data was copied from
  • ActivityType – Type 10 means data resides in clipboard, Type 16 shows if data was copied or pasted

Sections

ID Name Description
AF022Virtualization

The subject leverages virtualization technologies—including hypervisors and virtual machines—to obscure forensic artifacts, isolate malicious activity, or evade host-based monitoring. By conducting operations within a guest operating system, the subject reduces visibility to host-level security tools and complicates the forensic process by separating volatile and persistent data across system boundaries.

 

This strategy allows the subject to:

 

  • Contain incriminating tools, logs, or staged data entirely within a VM.
  • Avoid leaving artifacts on the host system's registry, file system, or memory.
  • Leverage disposable VMs to execute high-risk actions and erase evidence through snapshot rollback or VM deletion.
  • Evade host-based endpoint detection and response (EDR) tools that lack introspection into virtualized environments.
  • Run guest OSes in stealth configurations (e.g., nested VMs, portable hypervisors) to further frustrate attribution and recovery efforts.
AF022.001Use of a Virtual Machine

The subject uses a virtual machine (VM) on an organization device to contain artifacts of forensic value within the virtualized environment, preventing them from being written to the host file system. This strategy helps to obscure evidence and complicate forensic investigations.
 

By running a guest operating system within a VM, the subject can potentially evade detection by security agents installed on the host operating system, as these agents may not have visibility into activities occurring within the VM. This adds an additional layer of complexity to forensic analysis, making it more challenging to detect and attribute malicious activities.