Box Drive Artifacts

Location and Format

Similar to other cloud storage applications there are a few locations that you need to be aware of. - Default reparse point to virtual filesystem: - %USERPROFILE%\Box - Default local file cache: - %USERPROFILE%\AppData\Local\Box\Box\cache - File metadata and configuration data: - %USERPROFILE%\AppData\Local\Box\Box\logs - Box_streem logs - %USERPROFILE%\AppData\Local\Box\Box\data - sync.db and streemsfs.db databases that contain file metadata - Metadata: - metrics.db - contains user account information

Purpose

Box drive uses a virtual filesystem similar to Google Drive for Desktop. However, this file system is implemented as a NTFS reparse point. It also provides excellent metadata logging.

Forensic Uses

Box drive provides us with metadata for both local and cloud-only files including the SHA-1 hash. There is more detailed usage logging that is available, but it typically only goes back a few weeks. Quick Tip! You can search “logDriveInformation” within the Box_Streem logs to identify the location of the virtual filesystem folder if it is not apparent.

Box Drive Artifacts

Box Drive Artifacts

Location and Format

Purpose

Forensic Uses

Analysis Tools

Example Analysis

results matching ""

No results matching ""