Windows 10 (v1803+) ActivitiesCache.db parsers (SQLite, PowerShell, .EXE)
[Update Log]
MD5: 8551BD916973919503978168147CD4AB SHA256: DC57AB744335A3F4EE0B499BDFF72F5D4B31D2D1C3979C3BBF4A7EAE82456576
Update :
MD5: F5416897612BFD3CEEC13808FE524E20 SHA256: 87AF5824E86C20F13E6D45595E98801A63D2FF9AF4DED011066DF754652F5780
[Update Log]
[Change Log]
Update : - Minor GUI fixes (e.g. dpi scaling) - Some other minor fixes/updates
- Retrieves (carves) current & deleted Clipboard text entries from an ActivitiesCache db or db-wal file.
- Displays offset of entry in the file & decoded text
- Allows Copy of a selection or all of the results
- Allows export to "|" separated CSV
Example:
- WindowsTimeline.exe: 15 clipboard text entries (SQLite query)
- ClipboardTextEntries.exe: 224 from the db & 19 from the db-wal
Update : - Minor GUI fixes (e.g. dpi scaling)
Note: Duplicate entries could indicate that the clipboard text was in both 'Payload' & 'ClipboardPayload' fields. Typically this occurs in synced entries, but this is not confirmed 100%.
* Added Search option in Clipboard Text carver window to search the 'Copied Text' entries
* Added Search option in Application Execution list window to search both 'Application' & 'Description' entries
Update : - Added the option to search copied text items via a Search box:
Note: Above 'availability' depends on the dB/registry entries