Clipboard
Overview
Section titled “Overview”Evidence: Clipboard
Description: Collect Clipboard Contents
Category:
Platform: windows
Short Name: clp
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”The Windows clipboard is a system-wide buffer that temporarily stores data during cut, copy, and paste operations. Applications can place data on the clipboard in multiple formats simultaneously (e.g., text, HTML, images, files).
Clipboard contents can provide valuable forensic evidence about user activity, including copied passwords, URLs, file paths, images, and other sensitive data that was recently copied or cut.
Data Collected
Section titled “Data Collected”This collector gathers structured data about clipboard.
Clipboard Data
Section titled “Clipboard Data”| Field | Description | Example |
|---|---|---|
FormatName | Clipboard format type | CF_UNICODETEXT |
FormatID | Numeric format identifier | 13 |
FilePath | Path to saved clipboard data | Clipboard/1.CF_UNICODETEXT(13).txt |
FileSize | Size of clipboard data | 256 |
Collection Method
Section titled “Collection Method”This collector:
- Opens the system clipboard
- Enumerates all available clipboard formats
- Retrieves data for each format
- Saves each format to a separate file with appropriate extension
Supported formats include:
- Text formats (CF_TEXT, CF_UNICODETEXT, CF_OEMTEXT)
- Image formats (CF_BITMAP, CF_DIB, CF_DIBV5, CF_TIFF)
- File lists (CF_HDROP)
- Custom application formats
Forensic Value
Section titled “Forensic Value”Clipboard contents can reveal critical evidence about user actions immediately before system acquisition. Investigators can recover copied passwords, URLs visited, file paths accessed, sensitive document excerpts, and data prepared for exfiltration. This evidence is particularly valuable in data theft investigations, insider threat cases, and scenarios involving credential theft.