Document Type

Article

Publication Date

8-2011

Abstract

When attempting to reconstruct the events leading up to a cyber security incident, one potentially important piece of information is the clipboard (Prosise et al., 2003). The clipboard has been present in Windows since Windows 3.1 and is the mechanism for transferring information from one application to another through copy and pasting actions. Being able to retrieve the last file copied or the last password used may provide investigators with invaluable information during a forensic investigation. This paper describes the Windows clipboard structure and the process of retrieving copy/paste information from Windows XP, Vista, and Windows 7 (both 32 bit and 64 bit) memory captures with data from applications including Notepad, Microsoft Word, and Microsoft Excel.

Comments

Sourced from the version of record at ScienceDirect:
Okolica, J. S., & Peterson, G. L. (2011). Extracting the windows clipboard from physical memory. Digital Investigation, 8, S118–S124. https://doi.org/10.1016/j.diin.2011.05.014

This is an open access article under the terms of the Creative Commons Attribution‐NonCommercial‐NoDerivs International License (CC BY-NC-ND 4.0), which permits use and distribution in any medium, provided the original work is properly cited, the use is non‐commercial and no modifications or adaptations are made. https://creativecommons.org/licenses/by-nc-nd/4.0/

The publisher embargo for this journal was observed.

This article appeared in the Supplement issue to volume 8 of Digital Investigation.

DOI

10.1016/j.diin.2011.05.014

Source Publication

Digital Investigation

Share

COinS