Home Articles Cloud Forensics: Google Drive

Cloud Forensics: Google Drive

0
0
1,521

We decided to continue our cloud forensics series, but focus on more popular desktop applications, this time it’s going to be Google Drive for Windows. We will divide the post into a few parts, focusing on different sources of potential digital evidence: file system, registry, SQLite databases and web-browsing history.

File system

The most trivial part – the goal is to find the location of the folder being synced with the cloud. By default, it’s C:\Users\%username%\Google Drive:

Figure 1. The contents of Google Drive folder

Of course, users may change the default location of this folder. In  will show how to find Google Drive folder using registry forensics.

Registry

As always, Windows registry contains a bunch of valuable information from a forensic point of view. First, let’s start from understanding if the sync process is started automatically with user’s login, let’s look at Software\Microsoft\Windows\CurrentVersion\Run (NTUSER.DAT):

Figure 2. Software\Microsoft\Windows\CurrentVersion\Run contents

As you can see, just like in many other cloud apps, Google Drive sync process starts automatically with user’s login.

To find out where we can find application related artifacts, let’s look at Software\Google\Drive (NTUSER.DAT):

Figure 3. Google Drive related artifacts location

As you can see, we are going to find app-related information, including SQLite databases, under C:\Users\0136\AppData\Local\Google\Drive.

SQLite databases

Under C:\Users\0136\AppData\Local\Google\Drive you’ll find another folder – user_default. This folder contains a bunch of valuable SQLite databases, for example, sync_config.db and snapshot.db.

Let’s start from sync_config.db. This database contains only one table – data, but it’s full of valuable info, for example, here you can find Google account name and location of Google Drive folder, it’s quite important if the user changed the default location.

Let’s look at the second database, snapshot.db, and its local_entry table. Here we have file names, their sizes, modified timestamps and even MD5 hashes! Let’s write a simple query make these pieces of data even more readable:

Figure 4. Data extracted from local_entry table via SQL query

Of course, if you dig deeper, you can find more case related artifacts in this database, so we recommend you to keep researching.

Web-browsing history

There are quite a lot of popular web-browsers nowadays, but this time we’ll focus on Google Chrome. You can find an SQLite database with browsing history under C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default. It’s called History. And yes, it has no extension, but ou can still open it with you SQLite browser of choice. Google Drive usually starts from “drive.google.com”, so let’s write another query to extract data from the urls table:

Figure 5. Extracting Google Drive related artifacts from Google Chrome’s History database

As you can see, there are a lot of good host-based forensic artifacts can be found. Of course, there isn’t the whole list of them, page or swap files, RAM, and some other parts of file system and registry may contain much more artifacts, but these are a good place to start!

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.

Load More Related Articles
Load More In Articles

Leave a Reply

Your email address will not be published. Required fields are marked *