Cloud-based Forensic Artifacts: Dropbox

Posted by:  /  Tags: , ,  /  Comments: 1

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
Dropbox 1.2

Synchronizes designated directories to the cloud and other associated computers. Can be used for simple file sharing. Not specifically a backup service, but does maintain off-site copies of files, so it kind of qualifies. Runs on Windows, Mac, Linux, iPad, iPhone, Android, BlackBerry.

Current version of Dropbox makes use of encrypted SQLite DB files.

A sample of artifacts from the installation and use of Dropbox 1.2 on a system.  This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys

Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\21

File Locations
Application Data Files:  AppData\Roaming\Dropbox

Application Executable Files:  AppData\Roaming\Dropbox\Bin – Dropbox.exe

Sync/Backup Files:  %User%\Dropbox

Files of Interest

config.db, config.dbx, desktop.ini, filecache.dbx, host.db, sigstore.dbx, unlink.db, entries.log

Research Links

Forensic Programs of Use
ProcessHacker –
CurrPorts –
Wireshark –
FileInfo –
RegShot –
Registry Decoder –
NetWitness Investigator –
Notepad++ –
SQLiteDBBrowser –
HxD –
HEX Editor –
Encoder –
DCode –
DbVisualizer –
TrID –
File –


One Comment

Jared Atkinson

December 1, 2015


All files that are synced with Dropbox are marked with an Alternate Data Stream named “com.dropbox.attributes”.

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment