Tags: forensics 

Rating: 5.0

# Ghost in the Clipboard
## Category
Forensics
## Points
250
## Description
A hacker has broken into your computer and stolen one of your passwords. You were able to extract the AppData folder as it was right after the attack took place. See if you can find out which password (the flag) they stole so you can change it before any damage is done.
## Solution
Clipboard history in Windows is stored within a database file inside the AppData folder. Navigate to AppData > Local > ConnectedDevicesPlatform > 4f406c0d314b1399 and open the ActivitiesCache.db file using DB Browser for SQLite, or a similar program. Within the database file, only one entry has contents in the ClipboardPayload section, which the flag base64 encoded.
## Flag
texsaw{th1s_1s_th3_fl4g}
## Hint
You had clipboard history turned on in windows at the time of the attack. Perhaps the attacker copied the password?