Document Type


Publication Date



When attempting to reconstruct the events leading up to a cyber security incident, one potentially important piece of information is the clipboard (Prosise et al., 2003). The clipboard has been present in Windows since Windows 3.1 and is the mechanism for transferring information from one application to another through copy and pasting actions. Being able to retrieve the last file copied or the last password used may provide investigators with invaluable information during a forensic investigation. This paper describes the Windows clipboard structure and the process of retrieving copy/paste information from Windows XP, Vista, and Windows 7 (both 32 bit and 64 bit) memory captures with data from applications including Notepad, Microsoft Word, and Microsoft Excel.


Sourced from the version of record at ScienceDirect:
Okolica, J. S., & Peterson, G. L. (2011). Extracting the windows clipboard from physical memory. Digital Investigation, 8, S118–S124.

This is an open access article under the terms of the Creative Commons Attribution‐NonCommercial‐NoDerivs International License (CC BY-NC-ND 4.0), which permits use and distribution in any medium, provided the original work is properly cited, the use is non‐commercial and no modifications or adaptations are made.

The publisher embargo for this journal was observed.

This article appeared in the Supplement issue to volume 8 of Digital Investigation.



Source Publication

Digital Investigation