We decided to continue our cloud forensics series, but focus on more popular desktop applications, this time it’s going to be Google Drive for Windows. We will divide the post into a few parts, focusing on different sources of potential digital evidence: file system, registry, SQLite databases and web-browsing history.
The most trivial part – the goal is to find the location of the folder being synced with the cloud. By default, it’s C:\Users\%username%\Google Drive:
Figure 1. The contents of Google Drive folder
Of course, users may change the default location of this folder. In will show how to find Google Drive folder using registry forensics.
As always, Windows registry contains a bunch of valuable information from a forensic point of view. First, let’s start from understanding if the sync process is started automatically with user’s login, let’s look at Software\Microsoft\Windows\CurrentVersion\Run (NTUSER.DAT):
Figure 2. Software\Microsoft\Windows\CurrentVersion\Run contents
As you can see, just like in many other cloud apps, Google Drive sync process starts automatically with user’s login.
To find out where we can find application related artifacts, let’s look at Software\Google\Drive (NTUSER.DAT):
Figure 3. Google Drive related artifacts location
As you can see, we are going to find app-related information, including SQLite databases, under C:\Users\0136\AppData\Local\Google\Drive.
Under C:\Users\0136\AppData\Local\Google\Drive you’ll find another folder – user_default. This folder contains a bunch of valuable SQLite databases, for example, sync_config.db and snapshot.db.
Let’s start from sync_config.db. This database contains only one table – data, but it’s full of valuable info, for example, here you can find Google account name and location of Google Drive folder, it’s quite important if the user changed the default location.
Let’s look at the second database, snapshot.db, and its local_entry table. Here we have file names, their sizes, modified timestamps and even MD5 hashes! Let’s write a simple query make these pieces of data even more readable:
Figure 4. Data extracted from local_entry table via SQL query
Of course, if you dig deeper, you can find more case related artifacts in this database, so we recommend you to keep researching.
There are quite a lot of popular web-browsers nowadays, but this time we’ll focus on Google Chrome. You can find an SQLite database with browsing history under C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default. It’s called History. And yes, it has no extension, but ou can still open it with you SQLite browser of choice. Google Drive usually starts from “drive.google.com”, so let’s write another query to extract data from the urls table:
Figure 5. Extracting Google Drive related artifacts from Google Chrome’s History database
As you can see, there are a lot of good host-based forensic artifacts can be found. Of course, there isn’t the whole list of them, page or swap files, RAM, and some other parts of file system and registry may contain much more artifacts, but these are a good place to start!