Since our last blog we have finished gathering data for Google Drive, SkyDrive, and Dropbox. So far we have only analyzed Dropbox and SkyDrive artifacts. Initially we had several hundred thousand results to comb through. Dropbox totaled 193,059 events; SkyDrive totaled 295,037 events; Google Drive totaled 270,107 results. In the end, we were able to narrow them down to only a few hundred artifacts that were definitely related to Dropbox and SkyDrive.
So how did we get these results? We downloaded, installed, and setup each cloud service, uploaded a predefined set of files, moved and copied these files within the desktop application folder for each cloud service, opened these files, and then deleted some of them, all in separate virtual machines. Finally, we unlinked each of the accounts and uninstalled the applications. During this entire process we used Process Monitor, real-time file system and monitoring tool, to record file system and registry activity.
From here we needed to narrow these results down, so that we could be able to effectively analyze the data. We decided to make a master list for each service, which would consist of files and registry entries that we know are related to their respective cloud services. For example with Dropbox, there were 193,059 results. We did not have time to comb through all of these individually to see if they related to Dropbox, as we didn’t have enough time or man power. There were many repeated results for the same file/path, so we used excel to narrow these results to 4,910 unique results using filters. We decided that 4,910 results were still too many results to parse for the time allotted to us, so to further narrow down these results, we only included files/paths that contained the word “dropbox”. After narrowing down the results we were left with only 255 results. We did this for the other two cloud services and we were able to get the results down to a manageable number.
We then opened a case in FTK 4.1 for Dropbox and SkyDrive and added images from each of the VM’s. Within the case, we looked for the files from the narrowed down results by manually searching for them. We were able to locate some of these results, but many of them turned out to be encrypted. At this point we are continuing to analyze the results from all three cloud services. Additionally, we would like to use Magnet Forensics Dropbox Decryptor to decrypt the encrypted Dropbox files.
Dropbox Decryptor is a free tool which can be found here: http://info.magnetforensics.com/dropbox-decryptor
-Nick Murray, Maegan Katz