Dropbox Artifacts

Location and Format

Similar to other cloud storage applications there are a few locations that you need to be aware of.

- Default local file storage:
    - %USERPROFILE%\Dropbox
    - %USERPROFILE%\Dropbox\dropbox.cache (up to 3 days of cached data, note that it is a hidden file)
- File storage folder location:
    - SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager\Dropbox!(SID)!Personal\UserSyncRoots
- File Metadata and Configuration Data:
    - %USERPROFILE%\AppData\Local\Dropbox\
        - nucleus.sqlite3, sync_history.db, and aggregation.dbx – usage and file metadata
        - v90-: filecache.dbx, config.dbx – encrypted with Windows DPAPI
        - info.json – app configuration data

Purpose

Dropbox is one of the more well known and perhaps the most popular cloud storage solution. Dropbox can be challenging to investigate due to the older versions using the Windows DPAPI to encrypt most of the metadata. However, in the more recent versions this information tends to be more readily available.

Forensic Uses

Forensically we are able to identify metadata for files that are local, cloud, and deleted. There is also both a local and an online recycle bin. The online recycle bin has a retention of 30 days (personal) or 120 days (business). Unfortunately, detailed logging is only avaiable through the dropbox “Advanced Tier”, while the consumer dropbox provides only limited logs via the “Events” page.

Analysis Tools

pending

Example Analysis

pending

results matching ""

    No results matching ""