Windows Forensics. AppData Cache analysis using sqlite3reader

Each server administrator copies some data in clipboard while doing configuration. This is why cache analysis or I context of the article clipboard forensics may bring unexcepted interesting information. It work another way, threat analytic should consider using clipboard analysis performing regular or, in bad scenario, post mortem investigation. Our sqlite3reader was developed to make such investigation easy.

To provide a quick analysis , I will leverage nice and obsoletely free to use TexSAW 2023 CTF. Just login and download zip file with AppData folder from “Ghost in the Clipboard” challenge. Let’s unzip and look inside. We could provide basic forensics manually, but I preferer my own sqlite3reader.

Pull latest and run SCAN MODE:

$ python3 sqlite3reader.py --dir <path>
sqlite3reader

Since the Window 10, a payloads are cached in %AppData%\Local\ConnectedDevicesPlatform\ActivitiesCache.db. Let’s dig deeper and look inside.

Option 1 (manual with sqlbrowser GUI)

Install sqlbrowser tools first. I already have one preinstalled as part of Kali Linux distribution. After a few minutes, I found two interesting table here: Activity and ActivityOperations. Each contains latest payloads in [Payload] column and clipboard data encoded to base64 in [ClipboardPayload]:

Doing simple copy/past and decode from base64, I are getting flag.

Option 2 (sqlite3reader CLI)

Easy? Yes, but what if in real world we need some specific information which is hidden somewhere deeper. Let’s use sqlite3reader, copy path to ActvitiesCache.db from previous run and execute in VERBOSE MODE:

$ python3 sqlite3reader.py -f '/home/kali/Downloads/Ghost in the Clipboard/AppData/Local/ConnectedDevicesPlatform/4f406c0d314b1399/ActivitiesCache.db' -v

It shows a content to further analysis. After quick review, I found a few tables *cache*. Another, way to do so is just leverage SEARCH MODE:

$ python3 sqlite3reader.py -f '/home/kali/Downloads/Ghost in the Clipboard/AppData/Local/ConnectedDevicesPlatform/4f406c0d314b1399/ActivitiesCache.db' -s payload 

A tons of interesting information there: GDPR info, reporting, latest user activities, so many amazing stuff. Now, try to look for ‘clipboard’ in context of CTF:

$ python3 sqlite3reader.py -f '/home/kali/Downloads/Ghost in the Clipboard/AppData/Local/ConnectedDevicesPlatform/4f406c0d314b1399/ActivitiesCache.db' -s clipboard

Found it! As we already know, the flag is encoded in base64, so use -d option to display human understandable data:

$ python3 sqlite3reader.py -f '/home/kali/Downloads/Ghost in the Clipboard/AppData/Local/ConnectedDevicesPlatform/4f406c0d314b1399/ActivitiesCache.db' -s clipboard -d

I showed you a simple way find a payload and clipboard data using Python tool like sqlite3reader. There a coupled of another ways to do so like memory forensics or clipboard history folder. Of course. there are limitations and some methods might be suitable in one case and doesn’t in specific situations.

I hope, it was interesting post. Please follow our forensics and subscribe to get access to featured content.

Be en ethical, save your privacy!

subscribe to newsletter

and receive weekly update from our blog

By submitting your information, you're giving us permission to email you. You may unsubscribe at any time.

Leave a Comment

Discover more from #cybertechtalk

Subscribe now to keep reading and get access to the full archive.

Continue reading