Detections
- Home
- - Detections
- -DT090
- ID: DT090
- Created: 26th July 2024
- Updated: 26th July 2024
- Platform: Windows
- Contributor: The ITM Team
Clipboard Payloads via ActivitiesCache.db
This artifact is only generated where both “Clipboard History” and “Clipboard history across your devices” is enabled within the Windows system settings for clipboard.
ActivitiesCache.db is associated with the Windows Timeline feature, which was introduced in Windows 10, allowing users to keep track of their activities across different devices and sessions.
This artifact is located in:
C:\Users\Username\%AppData%\Local\ConnectedDevicesPlatform\<UserProfile>\
This .db file can be opened using appropriate software, such as DB Browser for SQLite. The ActivityOperations table is of interest, with the following notable fields:
- StartTime (epoch time) – When the data was first copied to the clipboard
- ExpirationTime (epoch time) – When the data will be deleted from the ActivitiesCache.db (roughly 12 hours)
- ClipboardPayload – Base64 encoded string of the clipboard contents
- Payload – This field tells you where the clipboard data was copied from
- ActivityType – Type 10 means data resides in clipboard, Type 16 shows if data was copied or pasted
Sections
ID | Name | Description |
---|---|---|
AF022 | Virtualization | The subject leverages virtualization technologies—including hypervisors and virtual machines—to obscure forensic artifacts, isolate malicious activity, or evade host-based monitoring. By conducting operations within a guest operating system, the subject reduces visibility to host-level security tools and complicates the forensic process by separating volatile and persistent data across system boundaries.
This strategy allows the subject to:
|
AF022.001 | Use of a Virtual Machine | The subject uses a virtual machine (VM) on an organization device to contain artifacts of forensic value within the virtualized environment, preventing them from being written to the host file system. This strategy helps to obscure evidence and complicate forensic investigations. By running a guest operating system within a VM, the subject can potentially evade detection by security agents installed on the host operating system, as these agents may not have visibility into activities occurring within the VM. This adds an additional layer of complexity to forensic analysis, making it more challenging to detect and attribute malicious activities. |