Update local-cloud-storage.md
This commit is contained in:
parent
dbc6540ab4
commit
cc0b5e6c34
|
@ -26,8 +26,7 @@ Through Security Skills as a Service, we help organizations to **defend against
|
|||
|
||||
## OneDrive
|
||||
|
||||
In Windows you can find the OneDrive folder in `\Users\<username>\AppData\Local\Microsoft\OneDrive`\
|
||||
And inside `logs\Personal` it's possible to find the file `SyncDiagnostics.log` which contains some interesting data regarding the synchronized files:
|
||||
In Windows, you can find the OneDrive folder in `\Users\<username>\AppData\Local\Microsoft\OneDrive`. And inside `logs\Personal` it's possible to find the file `SyncDiagnostics.log` which contains some interesting data regarding the synchronized files:
|
||||
|
||||
* Size in bytes
|
||||
* Creation date
|
||||
|
@ -38,22 +37,20 @@ And inside `logs\Personal` it's possible to find the file `SyncDiagnostics.log`
|
|||
* Report generation time
|
||||
* Size of the HD of the OS
|
||||
|
||||
Once you have found the CID it's recommended to **search files containing this ID**. You may be able to find files with the name: _**\<CID>.ini**_ and _**\<CID>.dat**_ that may contain interesting information like the names of files syncronized with OneDrive.
|
||||
Once you have found the CID it's recommended to **search files containing this ID**. You may be able to find files with the name: _**\<CID>.ini**_ and _**\<CID>.dat**_ that may contain interesting information like the names of files synchronized with OneDrive.
|
||||
|
||||
## Google Drive
|
||||
|
||||
In Widows you can find the main Google Drive folder in `\Users\<username>\AppData\Local\Google\Drive\user_default`\
|
||||
This folder contains a file called Sync\_log.log with information like the email address of the account, filenames, timestamps, MD5 hashes of the files...\
|
||||
Even deleted files appears in that log file with it's corresponding MD5.
|
||||
In Windows, you can find the main Google Drive folder in `\Users\<username>\AppData\Local\Google\Drive\user_default`\
|
||||
This folder contains a file called Sync\_log.log with information like the email address of the account, filenames, timestamps, MD5 hashes of the files, etc. Even deleted files appear in that log file with its corresponding MD5.
|
||||
|
||||
The file **`Cloud_graph\Cloud_graph.db`** is a sqlite database which contains the table **`cloud_graph_entry`**\
|
||||
In this table you can find: the **name** of the **synchronized** **files**, modified time, size, MD5 checksum of the files.
|
||||
The file **`Cloud_graph\Cloud_graph.db`** is a sqlite database which contains the table **`cloud_graph_entry`**. In this table you can find the **name** of the **synchronized** **files**, modified time, size, and the MD5 checksum of the files.
|
||||
|
||||
The table data of the database **`Sync_config.db`** contains the email address of the account, path of the shared folders and Google Drive version.
|
||||
The table data of the database **`Sync_config.db`** contains the email address of the account, the path of the shared folders and the Google Drive version.
|
||||
|
||||
## Dropbox
|
||||
|
||||
Dropbox uses **SQLite databases** to mange the files. In this\
|
||||
Dropbox uses **SQLite databases** to manage the files. In this\
|
||||
You can find the databases in the folders:
|
||||
|
||||
* `\Users\<username>\AppData\Local\Dropbox`
|
||||
|
@ -69,7 +66,7 @@ And the main databases are:
|
|||
|
||||
The ".dbx" extension means that the **databases** are **encrypted**. Dropbox uses **DPAPI** ([https://docs.microsoft.com/en-us/previous-versions/ms995355(v=msdn.10)?redirectedfrom=MSDN](https://docs.microsoft.com/en-us/previous-versions/ms995355\(v=msdn.10\)?redirectedfrom=MSDN))
|
||||
|
||||
In order to understand better the encryption that Dropbox uses you can read [https://blog.digital-forensics.it/2017/04/brush-up-on-dropbox-dbx-decryption.html](https://blog.digital-forensics.it/2017/04/brush-up-on-dropbox-dbx-decryption.html).
|
||||
To understand better the encryption that Dropbox uses you can read [https://blog.digital-forensics.it/2017/04/brush-up-on-dropbox-dbx-decryption.html](https://blog.digital-forensics.it/2017/04/brush-up-on-dropbox-dbx-decryption.html).
|
||||
|
||||
However, the main information is:
|
||||
|
||||
|
@ -78,7 +75,7 @@ However, the main information is:
|
|||
* **Algorithm**: PBKDF2
|
||||
* **Iterations**: 1066
|
||||
|
||||
Apart from that information, in order to decrypt the databases you still need:
|
||||
Apart from that information, to decrypt the databases you still need:
|
||||
|
||||
* The **encrypted DPAPI key**: You can find it in the registry inside `NTUSER.DAT\Software\Dropbox\ks\client` (export this data as binary)
|
||||
* The **`SYSTEM`** and **`SECURITY`** hives
|
||||
|
@ -107,14 +104,14 @@ The **`config.dbx`** database contains:
|
|||
|
||||
The **`filecache.db`** database contains information about all the files and folders synchronized with Dropbox. The table `File_journal` is the one with more useful information:
|
||||
|
||||
* **Server\_path**: Path where the file is located inside the server (this path is preceded by the `host_id` of the client) .
|
||||
* **Server\_path**: Path where the file is located inside the server (this path is preceded by the `host_id` of the client).
|
||||
* **local\_sjid**: Version of the file
|
||||
* **local\_mtime**: Modification date
|
||||
* **local\_ctime**: Creation date
|
||||
|
||||
Other tables inside this database contain more interesting information:
|
||||
|
||||
* **block\_cache**: hash of all the files and folder of Dropbox
|
||||
* **block\_cache**: hash of all the files and folders of Dropbox
|
||||
* **block\_ref**: Related the hash ID of the table `block_cache` with the file ID in the table `file_journal`
|
||||
* **mount\_table**: Share folders of dropbox
|
||||
* **deleted\_fields**: Dropbox deleted files
|
||||
|
|
Loading…
Reference in New Issue