Forensic Quick Wins With EventTranscript Microsoft Windows

EventTranscript.db contains many events of varying interests to DFIR examiners. Some of the most forensically relevant Event Names explored by Kroll were prefaced with Microsoft.Windows.ClipboardHistory.Service. Within Microsoft.Windows.ClipboardHistory.Service events, the following Event Names emerged:

  • Microsoft.Windows.ClipboardHistory.Service.AddItemActivity
  • Microsoft.Windows.ClipboardHistory.Service.ClipboardActivityMonitor_ConnectedToServerProxy
  • Microsoft.Windows.ClipboardHistory.Service.ClipboardActivityMonitor_ConnectingToServerProxy
  • Microsoft.Windows.ClipboardHistory.Service.ClipboardActivityMonitor_DisconnectedFromServerProxy
  • Microsoft.Windows.ClipboardHistory.Service.ClipboardMonitor_Start
  • Microsoft.Windows.ClipboardHistory.Service.ClipboardMonitor_Stop
  • Microsoft.Windows.ClipboardHistory.Service.CopyActionDetected_Compliant
  • Microsoft.Windows.ClipboardHistory.Service.LocalContentChangeListener_DoubleCopyOptInOpportunityInfo
  • Microsoft.Windows.ClipboardHistory.Service.PasteActionDetected_Compliant
  • Microsoft.Windows.ClipboardHistory.Service.ServiceInitializationActivity
  • Microsoft.Windows.ClipboardHistory.Service.ServiceInitializationPhase2Activity
  • Microsoft.Windows.ClipboardHistory.Service.ServiceStartActivity
  • Microsoft.Windows.ClipboardHistory.Service.ServiceStopActivity
  • Microsoft.Windows.ClipboardHistory.Service.SettingCensus
  • Microsoft.Windows.ClipboardHistory.Service.UsageCensus

Research has not been conducted on most of these events yet, but Kroll identified the most forensically interesting as: Microsoft.Windows.ClipboardHistory.Service.CopyActionDetected_Compliant and Microsoft.Windows.ClipboardHistory.Service.PasteActionDetected_Compliant.

Kroll observed the CopyActionDetected_Compliant event whenever the action of copying content to the Windows Clipboard occurred. While this doesn’t show the content that was copied, unfortunately, it does provide the application from which the content was copied. In testing, Kroll observed the timestamp of this event to be consistent with when the action occurred in the testing environment and the sourceApplicationName value being consistently accurate.

Kroll tested a common, everyday scenario where an end user copies text from an application and pastes it elsewhere within the same application, like a text editor or an Office application. Kroll observed the following sequence of events:

  • Microsoft.Windows.ClipboardHistory.Service.CopyActionDetected_Compliant
  • Microsoft.Windows.ClipboardHistory.Service.AddItemActivity
  • Microsoft.Windows.ClipboardHistory.Service.AddItemActivity
  • Microsoft.Windows.ClipboardHistory.Service.LocalContentChangeListener_DoubleCopyOptInOpportunityInfo
  • Microsoft.Windows.ClipboardHistory.Service.PasteActionDetected_Compliant

Below is what Kroll observed within Diagnostic Data Viewer when filtering on “clipboardhistory”.

Forensic Quick Wins - Microsoft.Windows.ClipboardHistory.Service

Another scenario that Kroll tested was one where the user has six open worksheets in Excel, and the user copies content from one worksheet to the other five in rapid succession.

Forensic Quick Wins - Microsoft.Windows.ClipboardHistory.Service

As is common with events stored within EventTranscript.db, you can pivot on the values stored within the JSON data to reveal other events related to that item. For instance, when you pivot on the itemId value, one will find the following related events:

  • Microsoft.Windows.Shell.TaskFlow.DataEngine.HandleClipboardSignalInfo
  • Microsoft.Windows.ClipboardHistory.Service.AddItemActivity

Kroll sees value in this artifact for providing potential insight into data exfiltration scenarios, where files/content from files were copied from a system and staged for exfiltration.

Forensic Quick Wins With EventTranscript.DB: Microsoft.Windows.Clipboard<br /> History.Service 2021-08-23T00:00:00.0000000 /en/insights/publications/cyber/forensically-unpacking-eventtranscript/forensic-quick-wins-with-eventtranscript-microsoft-windows /-/media/kroll/images/publications/kape-eventtrasncript-batch-2/feature-image/forensic-quick-wins.jpg publication {E39587AD-8F0B-4FE2-865F-969BC5501096} {3A077BFC-C74A-40AF-A14C-13BCF6E3873E} {CE2347F0-D222-4014-BA97-6A415CC633DF} {2F9D4938-E5F0-4F9C-9A20-C4A5DCF79130} {7A48DD95-1A63-4784-842F-A2BE81EAFE13} {09213578-A7CA-4DD8-AE97-7476022C89D6} {042F6B91-DC71-4D5F-BB23-BFA7E05A37CE}