Clipboard

Overview

Evidence: Clipboard Description: Collect Clipboard Contents Category: System Platform: Windows Short Name: clp Is Parsed: No - Raw clipboard data is saved Sent to Investigation Hub: Yes Collect File(s): No

Background

The Windows clipboard is a system-wide buffer that temporarily stores data during cut, copy, and paste operations. Applications can place data on the clipboard in multiple formats simultaneously (e.g., text, HTML, images, files).

Clipboard contents can provide valuable forensic evidence about user activity, including copied passwords, URLs, file paths, images, and other sensitive data that was recently copied or cut.

Data Collected

Collection Method

This collector:

• Opens the system clipboard

• Enumerates all available clipboard formats

• Retrieves data for each format

• Saves each format to a separate file with appropriate extension

Supported formats include:

• Text formats (CF_TEXT, CF_UNICODETEXT, CF_OEMTEXT)

• Image formats (CF_BITMAP, CF_DIB, CF_DIBV5, CF_TIFF)

• File lists (CF_HDROP)

• Custom application formats

Usage

Clipboard contents can reveal critical evidence about user actions immediately before system acquisition. Investigators can recover copied passwords, URLs visited, file paths accessed, sensitive document excerpts, and data prepared for exfiltration. This evidence is particularly valuable in data theft investigations, insider threat cases, and scenarios involving credential theft.

Known Limitations

• Only captures clipboard state at collection time

• Clipboard contents are volatile and overwritten frequently

• Some applications use private clipboard formats

• Large clipboard contents may impact collection

Notes

Clipboard data is highly volatile and represents only the most recent copy/cut operation. The evidence should be collected as early as possible during acquisition to maximize its value.