0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

Update local-cloud-storage.md

This commit is contained in:
Taleb Qasem 2022-09-11 19:35:44 +06:00 committed by GitHub
parent dbc6540ab4
commit cc0b5e6c34
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md
View File

@ -26,8 +26,7 @@ Through Security Skills as a Service, we help organizations to **defend against
## OneDrive
In Windows you can find the OneDrive folder in `\Users\<username>\AppData\Local\Microsoft\OneDrive`\
And inside `logs\Personal` it's possible to find the file `SyncDiagnostics.log` which contains some interesting data regarding the synchronized files:
In Windows, you can find the OneDrive folder in `\Users\<username>\AppData\Local\Microsoft\OneDrive`. And inside `logs\Personal` it's possible to find the file `SyncDiagnostics.log` which contains some interesting data regarding the synchronized files:
* Size in bytes
* Creation date
@ -38,22 +37,20 @@ And inside `logs\Personal` it's possible to find the file `SyncDiagnostics.log`
* Report generation time
* Size of the HD of the OS
Once you have found the CID it's recommended to **search files containing this ID**. You may be able to find files with the name: _**\<CID>.ini**_ and _**\<CID>.dat**_ that may contain interesting information like the names of files syncronized with OneDrive.
Once you have found the CID it's recommended to **search files containing this ID**. You may be able to find files with the name: _**\<CID>.ini**_ and _**\<CID>.dat**_ that may contain interesting information like the names of files synchronized with OneDrive.
## Google Drive
In Widows you can find the main Google Drive folder in `\Users\<username>\AppData\Local\Google\Drive\user_default`\
This folder contains a file called Sync\_log.log with information like the email address of the account, filenames, timestamps, MD5 hashes of the files...\
Even deleted files appears in that log file with it's corresponding MD5.
In Windows, you can find the main Google Drive folder in `\Users\<username>\AppData\Local\Google\Drive\user_default`\
This folder contains a file called Sync\_log.log with information like the email address of the account, filenames, timestamps, MD5 hashes of the files, etc. Even deleted files appear in that log file with its corresponding MD5.
The file **`Cloud_graph\Cloud_graph.db`** is a sqlite database which contains the table **`cloud_graph_entry`**\
In this table you can find: the **name** of the **synchronized** **files**, modified time, size, MD5 checksum of the files.
The file **`Cloud_graph\Cloud_graph.db`** is a sqlite database which contains the table **`cloud_graph_entry`**. In this table you can find the **name** of the **synchronized** **files**, modified time, size, and the MD5 checksum of the files.
The table data of the database **`Sync_config.db`** contains the email address of the account, path of the shared folders and Google Drive version.
The table data of the database **`Sync_config.db`** contains the email address of the account, the path of the shared folders and the Google Drive version.
## Dropbox
Dropbox uses **SQLite databases** to mange the files. In this\
Dropbox uses **SQLite databases** to manage the files. In this\
You can find the databases in the folders:
* `\Users\<username>\AppData\Local\Dropbox`
@ -69,7 +66,7 @@ And the main databases are:
The ".dbx" extension means that the **databases** are **encrypted**. Dropbox uses **DPAPI** ([https://docs.microsoft.com/en-us/previous-versions/ms995355(v=msdn.10)?redirectedfrom=MSDN](https://docs.microsoft.com/en-us/previous-versions/ms995355\(v=msdn.10\)?redirectedfrom=MSDN))
In order to understand better the encryption that Dropbox uses you can read [https://blog.digital-forensics.it/2017/04/brush-up-on-dropbox-dbx-decryption.html](https://blog.digital-forensics.it/2017/04/brush-up-on-dropbox-dbx-decryption.html).
To understand better the encryption that Dropbox uses you can read [https://blog.digital-forensics.it/2017/04/brush-up-on-dropbox-dbx-decryption.html](https://blog.digital-forensics.it/2017/04/brush-up-on-dropbox-dbx-decryption.html).
However, the main information is:
@ -78,7 +75,7 @@ However, the main information is:
* **Algorithm**: PBKDF2
* **Iterations**: 1066
Apart from that information, in order to decrypt the databases you still need:
Apart from that information, to decrypt the databases you still need:
* The **encrypted DPAPI key**: You can find it in the registry inside `NTUSER.DAT\Software\Dropbox\ks\client` (export this data as binary)
* The **`SYSTEM`** and **`SECURITY`** hives
@ -107,14 +104,14 @@ The **`config.dbx`** database contains:
The **`filecache.db`** database contains information about all the files and folders synchronized with Dropbox. The table `File_journal` is the one with more useful information:
* **Server\_path**: Path where the file is located inside the server (this path is preceded by the `host_id` of the client) .
* **Server\_path**: Path where the file is located inside the server (this path is preceded by the `host_id` of the client).
* **local\_sjid**: Version of the file
* **local\_mtime**: Modification date
* **local\_ctime**: Creation date
Other tables inside this database contain more interesting information:
* **block\_cache**: hash of all the files and folder of Dropbox
* **block\_cache**: hash of all the files and folders of Dropbox
* **block\_ref**: Related the hash ID of the table `block_cache` with the file ID in the table `file_journal`
* **mount\_table**: Share folders of dropbox
* **deleted\_fields**: Dropbox deleted files