Home Articles Cloud Forensics: Box

Cloud Forensics: Box


It seems we really enjoy forensicating desktop apps for cloud services. Last week we started from really secure cloud service app – Mega. This time we are going to continue with another, much more forensically friendly app, – Box.

So Box is a popular enterprise content management platform, but, of course, can be used by regular users for managing content in the cloud. Why do we say it’s much more forensically friendly? You will know the answer by the end of this post.

Just like many other cloud services desktop apps, Box creates a folder in C:\Users\%USERNAME% named Box, but it’s not like regular folder, it’s a virtual one, a mount point. So if you quit the app, the folder will be unavailable. If you look at the folder via Windows Explorer, you will see LNK icon on it. Let’s use LECmd and learn more about it.

Figure 1. Box LNK file processed with LECmd

Oops, seems it doesn’t work. O-o-ok, let’s look at the file (?) with a hex viewer. We are going to use AccessData FTK Imager:

Figure 2. Box file opened in FTK Imager’s hex viewer

What we see is volume’s GUID. It starting to become very interesting, let’s launch Registry Explorer and search for the GUID we found in the registry:

Figure 3. Volume GUID found in registry

As you can see, a volume with GUID {9e0f0c0a-454b-11e8-8685-9cb6d007204c} is mounted under \DosDevices\C:\Users\0136\Box, so yes, it’s not an LNK file, it’s a mount point. But why is it a device and not just a folder? As you might already noticed, there is “cbfs6” in the key path, it means that we are dealing with Callback File System. This file system presents any kind of data as virtual files and folders, hiding real data location from the end-user. It means, that even if you image the whole disk bit-by-bit you won’t get the contents of this volume.

So if you are dealing with a live machine, make sure you have imaged the contents of this virtual folder. Here is how to do it with FTK Imager:

  1. Go to File – Create Disk Image…
  2. Choose Contents of a Folder
  3. Use C:\Users\%USERNAME%\Box as the source path
  4. Click Add…
  5. Fill-in Evidence Item Information
  6. Select Image Destination Folder, its name, fragmentation, compression and encryption (if nesessary).
  7. Click Finish and start acquisition process

You’ll get an AD1 containers with all files and subfolders of the Box, and, of course, hashes.

Despite the fact Box is using Callback File System, it’s quite forensically friendly. Let’s look at it’s logging capabilities, going to C:\Users\%USERNAME%\AppData\Local\Box\Box\logs:

Figure 4. C:\Users\%USERNAME%\AppData\Local\Box\Box\logs contents

As you can see, there are a lot of logs in the folder. Most interesting log files are those strating from Box_Streem. These files log everything happening with the files in the virtual folder. Here is an excerpt from such log:

Figure 5. An exerpt from Box_Streem_0_2018-04-21.log

Box_Streem logs every user’s action very thoroughly. And, of course, you can find information about previously existed files in the log:

Figure 6. An exerpt from Box_Streem_0_2018-04-21.log

Let’s go to another folder, this time to C:\Users\%USERNAME%\AppData\Local\Box\Box\data:

Figure 7. C:\Users\%USERNAME%\AppData\Local\Box\Box\data contents

Here we have a CA certificate in PEM format, a bunch of SQLite databases and a TXT file with our virtual folder path – C:\Users\0136\Box.

Let’s look at the most interesting databases. Do you still remember what log files were the most interesting? Yes, those starting with Box_Streem. Same here: the most interesting database is streemfs.db. First let’s look at fsnodes table:

Figure 8. fsnodes table contents

Here we have lots of interesting columns:

  • name – conatins file names
  • createdAtTimestamp – creation time in Unix format
  • modifiedAtTimestamp – modification time in Unix format
  • accessedAtTimestamp – access time in Unix format
  • inodeId – inode identifier

Let’s look at another table – cachefiles:

Figure 9. cachefiles table contents

Here we have the same inode identifiers, but what’s in cacheDataId column? Let’s go to C:\Users\%USERNAME%\AppData\Local\Box\Box\cache folder:

Figure 10. C:\Users\%USERNAME%\AppData\Local\Box\Box\cache contents

Do you remember we created an AD1 container with our virtual folder contents? Let’s look at its contents:

Figure 11. AD1 container contents

If you look at file sizes, you’ll notice, that they match the sizes of cached files. What does it mean? We still can recover the contents of Box files, even if Callback File System isn’t mounted.

Let’s write a SQL query to get data we need in an easy readable format:

Figure 12. A SQL query used to gather info from two tables of interest

As you can see, Box is much more forensically friendly cloud service application. Great logging and caching capabilities will help forensicators a lot in their digital examinations.

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.

Load More Related Articles
  • Cloud Forensics: pCloud Drive

    We continue our unforgetable journey to the world of cloud forensics. This time we are goi…
  • Cloud Forensics: Analyzing MEGASync

    Nowadays almost everybody have an account at this or that cloud service. Dropbox, One Driv…
  • Windows 10 Time Rules

    Timestamps play a very important role in many digital forensic examinations, so it’s…
Load More In Articles

Leave a Reply

Your email address will not be published. Required fields are marked *