Cloud-based Forensic Artifacts: Carbonite

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
Carbonite 5.2

Online backup storage solution. Runs on Windows, Mac, iPhone, Android, and Blackberry. No synchronization, or collaboration, but you can share files via email (at least from mobile devices).

A sample of artifacts from the installation and use of Carbonite 5.2 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys

File Locations
Application Data Files: ProgramData\Carbonite

Application Executable Files: Program Files (x86)\Carbonite\Carbonite Backup\ – CarboniteUI.exe

Sync/Backup Files: Any, User-Defined, File Type

Files of Interest

Carbonite.log, CarboniteConfig.dat, CarboniteDelta.dat, CarboniteFiles.dat, CarboniteNSE.log, CarbonitePossibleUpgrade.exe, CarboniteRestores.dat, CarboniteUI.log, CarboniteVersions.dat

Research Links

Forensic Programs of Use
ProcessHacker –
CurrPorts –
Wireshark –
FileInfo –
RegShot –
Registry Decoder –
NetWitness Investigator –
Notepad++ –
SQLiteDBBrowser –
HxD –
HEX Editor –
Encoder –
DCode –
DbVisualizer –
TrID –
File –


Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment