Insights Blog

Exploring the Windows Activity Timeline, Part 3: Clipboard Craziness

By: Vico Marziale (@vicomarziale), Senior Digital Forensics Researcher

Introduction

In the previous posts, Part 1 and Part 2, we have seen that the Windows Activity Timeline (just “Timeline” from here on out) source database, ActivitiesCache.db, stores reams of data about actions each user has engaged in on a system (i.e. web browsing and document access).  Further, this evidence can be synched across multiple Windows machines that a user logs into with the same MS account.  It can also store evidence of activities that occurred on non-Windows machines if Office365 is attached to the same account as the MS login account. This time around we are going to tackle another in a never-ending list of Timeline topics. Namely, we’ll take a look at a type of user activity that you might not think of when examining this particular artifact – Clipboard contents.

Before we begin, one thing to note, Timeline analysis is a fast-moving target. The db itself, as well as the behavior of the system, changes with nearly every Windows release. Even without the constant change, there are large parts of the Timeline we know little about. There is a lot more work needed here for verification as well as figuring out the unknown parts. With that in mind, this post has a bit more detail on the process I used to figure out how the Timeline and Clipboard are connected. Hopefully, this information will help other curious people perform their own testing and add to the body of what is known.

 

The Problem Statement

When digging around a (long) while ago in the ActivitiesCache.db on one of the test VMs I use, I saw that there was a column in the Activities table named Clipboard Payload that had data in it. I had seen the column before but hadn’t seen it populated before. It looked something like Figure 1 below. Immediately, my forensics Spidey sense went off telling me this should be interesting, and so I dug in.

 

Figure 1

 

I loaded the VM into BlackLight to do some more looking around. The Clipboard Payload column had some pretty obviously base64 encoded data. The decoded string was “AMD-Backed Blockchain Project Amassing 20K GPUs but Won’t Say Why.” Apparently, I was doing some cryptocurrency reading and copied the article title? But how did the data get there? How long would it stick around? Was it stored anywhere else? Was it only text that could be stored? There were many questions that needed answering.

 

Methodology

I had a notion of what some of the answers were, and there were online sources [1] that had good info, but as I said before, the Timeline changes quickly. To attempt to answer some of these questions for myself, I recently spun up a fresh Windows 10 2004 VM and copied and pasted some text. Then I looked in the Timeline db, and there was no populated Clipboard Payload data. So that was not super helpful.

 

Some brief googling reminded me that Windows 10 version 1809 added some new clipboard features: Clipboard History and Clipboard Cloud Sync [2-8]. The idea was that if the right configuration options (we’ll see them below) were selected, Windows would keep a limited history of text and images a user copies with CTRL-C. They could then be accessed with the WinKey-V key combo. Depending again on the settings, some types of copied data would even be synched across machines. I then tried the Clipboard History key combo WinKey-V in my 2004 VM and got this sad message:

 

Figure 2

 

I  assumed I needed to tinker with some settings. After more googling I turned on Clipboard History in Settings → System → Clipboard:

 

Figure 3

 

Then I went and copied some text from my web browser, tried the WinKey-V again, and behold:

 

Figure 4

 

But when I looked in the Timeline db again, still no luck. There was no populated Clipboard Payload data. Luckily there were more settings to toggle. Next I enabled the Sync across devices setting to turn on Clipboard Cloud Sync.

 

Figure 5

 

Now I thought I had a better chance of this actually working, so on the fresh 2004 VM I did the following (see Figure 6 below):

  • Logged in with one of my test MS accounts
  • Opened Notepad
  • Inserted a timestamp for good measure
  • Wrote some text
  • Selected the text
  • Right-clicked and copied the text

 

Figure 6

 

Then I opened up another machine, this one a Windows 10 1809 test VM and did the following:

  • Logged in with the same MS account as on the 2004 VM
  • Made sure it had the same clipboard settings
  • Opened Notepad
  • Inserted a timestamp
  • Right-clicked and selected paste

Note: Be careful not to have copied/pasted anything else in this VM before

 

Et viola! The text I had copied above in the 2004 machine pasted in the 1809 machine (see Figure 7 below).

 

Figure 7

 

This time when I took a quick look at the Timeline db on the 2004 machine, I saw some Clipboard Payloaddata populated. Now I was making some progress. Then I decided to take a closer look at the Timeline dbs from both the 2004 and 1809 machines and, using what we’ve seen in the previous posts and what we know now, see how this all works in the Timeline.

 

Then I did the following:

  • Opened BlackLight and created a new case
  • Added the VMDKs from each of the VMs to the case
  • Made sure Actionable Intel processing is selected (it is by default)
  • Looked at the Actionable Intel → Program Execution → Activities Cache section.

 

Going back and looking at the timestamps in my Notepad files from Figures 6 and 7 above I noted that my copy/paste start time is around 6:50 PM on June 30, 2020. Then I sorted by Start Time and immediately noticed that there were many duplicate Guid Id entries in Figure 8 below (e.g., AF42… in rows one and three, and F2FE… in rows two and four are the same). We know from previous posts that these are supposed to be unique identifiers for Activities. We should also remember from previous posts that we see duplicates here because the Activities have been synched across the two machines since I use the same MS account on both.

 

Figure 8

 

The duplicate data can sometimes be useful, and other times make things more difficult. This time seemed like the latter. So first I just looked at the Activities Cache from the 2004 machine by selecting just the Win10 2004 machine in the Evidence section of the ‘Component List.’ This eliminated the duplicate entries, as we can see in Figure 9 below.

 

Figure 9

 

After sorting by Start Time we can see (Figure 10 below) 6-7 entries that might be relevant given the time frame when I did the copying and pasting. The App Id column tells us that all but one of the entries are related to Notepad. (Side note: I also used BlackLight’s view filter to remove some other unrelated Activities.)

 

Figure 10

 

Scrolling right (see Figure 11 below) we can see that these Activities originated on two different machines based on the two different Platform Device IDs listed. Using the technique outlined in the previous post, we can determine that the yugS… entries originated on the 1809 machine and the mWKk… entries originated on the 2004 machine.

 

I then focused only on the entries originating on the 1809 machine, and as we can see in Figure 11 below, there is an Activity Type 5 for opening Notepad and an Activity Type 6 for engaging with the app. (The Activity Type 5 and 6 appear to be in reverse order, but on examining the Start Time, they both began at the same second, so they are listed in arbitrary order.)  We can see the file Notepad was used to access in the App Activity Id column: morecopypasta.txt file. This is where we pasted in the text in Figure 7 above.

 

Figure 11

 

If we now focus on the entries originating on the 2004 machine, we can see there are four relevant lines in Figure 11 above. Two of them are Activity Type 6 meaning the user was engaged with the Notepad app. The file that Notepad was used to access we can see in the App Activity Id field: pasted.txt.txt. This is the file I copied text out of in Figure 6 above. There is also an Activity Type 16, which tells us that Notepad was used for a copy or paste operation. And we see an Activity Type 10 which tells us that Clipboard activity occurred.

 

If we look further into the Activity Type 16 (Copy/Paste) in Figure 12 below, the Group ID tells us that the operation was a Copy operation. The Clipboard Payload, when decoded from the base64 is:

 

6:52 PM 6/30/2020 Copy on 2004
Let's copy/paste through the cloud

 

Which matches the text I copied above, as seen in Figure 6.

 

Figure 12

 

It is important to note that the Activity Type 10 is not directly tied to Notepad by its App Id, App Activity Id, or any other field. We can only infer that copied or pasted text in the Clipboard Payload was itself was copied from/pasted to Notepad.

 

While most data gets synched between machines, not everything does. Let’s take a look at the same timeframe in the Timeline db from the 1809 machine in Figure 13 below.

 

Figure 13

 

It looks pretty similar to the 2004 db, but when we scroll over a bit (see Figure 14 below), we see that one entry is missing.

 

Figure 14

 

There is no Activity Type 16 shown in the 1809 Timeline db. We might have expected to see an Activity Type16 with a Group Id of “Paste” to match the other Activity Type 16 with a Group Id of “Copy.” I certainly did. And with different version of the Timeline we might have. But it’s not here now. Remember we said above this is a quickly moving target? Now that we have some understanding of how all this looks in the Timeline db, let’s get back to our original set of questions in the Problem section above.

 

Results

After reviewing the above and doing some additional spot testing specifically geared to answering our questions, we get the following answers:

 

How did the Clipboard Payload data get there?

In the experiment above we copied data on the 2004 machine and pasted it on the 1809 machine. This resulted in Clipboard Payload being populated with the base64 encoded version of the copied text. But further testing has found that all that is required to populate the data is to copy the text. No pasting is required.

 

How long does it stick around?

Looking at the Timeline database in Figure 15 below, we can see that each Activity has a Start Time and an Expiration Time. If we look at the difference between them, it always exactly 12 hours. And we know that Activities are deleted from the db on expiration. Putting this together means that copied text will stick around in the db for 12 hours and then be deleted.

 

Figure 15

 

Is Clipboard data stored anywhere else?

After scouring the Timeline db for the 2004 machine, I found no other places that the Clipboard data was stored. However, knowing that different versions of Windows behave differently, I looked at the 1809 machine too, and found that for Activity Type 10, the Payload field holds a copy of the Clipboard Payload data. Take a look below at Figure 16 below from the 1809 machine where the Payload content in the bottom right panel matched the Clipboard Payload.

 

Figure 16

 

But in Figure 17 below from the 2004 machine, the Payload field is empty.

 

Figure 17

 

There is also some evidence that clipboard data may be stored outside of the timeline, but that is beyond the scope of today’s analysis.

 

Is it only text that is stored?

When we look at the Payload in Figure 16 above, we can see that the formatName is “text.” This implies that there could possibly be non-text data stored in the Payload and therefore Clipboard Payload fields. There are even several sources (see reference below) that say that the Cloud Clipboard handles text and images. Unfortunately, I have tried several methods to get an image to sync via the Clipboard Cloud Sync, or in the Timeline db and have not been able to make it happen. Maybe it’s a function that will work in the future? Or there’s some configuration to toggle? Or I just didn’t “do it right?”

 

Now that we have learned a bit more about the behavior of the Timeline and answered some burning questions about its interaction with Clipboard data, it’s time to wrap this installment up. Hope you enjoyed, and happy hunting!

 

References

Below are a ton of references I’ve gathered for this who would like to dig deeper into the Timeline.

Forensic Analysis of Timeline, Clipboard History and More

*** Definitely go see all the info and tools from Costas Katsavounidis here:

[1] Costas: https://github.com/kacos2000/WindowsTimeline

Forensic Analysis of Clipboard History

[2] https://thinkdfir.com/2018/10/14/clippy-history/

General Clipboard Information

[3] https://www.howtogeek.com/351978/using-windows-10s-new-clipboard-history-and-cloud-sync/

[4] https://community.windows.com/en-us/stories/cloud-clipboard-windows-10

[5] https://www.bleepingcomputer.com/news/microsoft/microsoft-introduces-a-redesigned-windows-clipboard-experience/

Videos from MS

[6] https://channel9.msdn.com/events/Build/2017/B8108

[7] https://channel9.msdn.com/Events/Windows/Windows-Developer-Day-Fall-Creators-Update/WinDev011

[8] https://channel9.msdn.com/Events/Connect/2017/B111

Some Timeline Database Field Descriptions

[9] https://docs.microsoft.com/en-us/uwp/api/windows.applicationmodel.useractivities.useractivity?view=winrt-19041

The Developer Perspective

Activity

[10] https://docs.microsoft.com/en-us/graph/api/resources/projectrome-activity?view=graph-rest-1.0

History Item

[11] https://docs.microsoft.com/en-us/graph/api/resources/projectrome-historyitem?view=graph-rest-1.0

[12] https://docs.microsoft.com/en-us/windows/uwp/launch-resume/useractivities

Project Rome

[13] https://github.com/Microsoft/project-rome

Graph API

[14] https://developer.microsoft.com/en-us/graph

BBT Webinars and Blog Posts

https://www.cellebrite.com/en/webinars/windows-10-activity-timeline-an-investigators-gold-mine/

https://www.blackbagtech.com/blog/exploring-the-windows-activity-timeline-part-1-the-high-points/

https://www.blackbagtech.com/blog/exploring-the-windows-activity-timeline-part-2-synching-across-devices/

BlackBag Research Team