John Lukach

iCloud Control Panel for Windows v1.01

Apple is commonly known for artifacts left on the iPhone, iPad, iPod, and Mac but can also be found on Windows if the iCloud service was enabled. The goal of this post is to provide the application level artifacts that could potentially determine who, what, and when email, contacts, calendar items, tasks, bookmarks, and photos were transferred between devices. It is important to note that operating system artifacts such as registry, event logs, and others will be available for correlation and validation of your findings too.

iCloud maintains detailed logs located in C:\Users\\AppData\Roaming\Apple Computer\Logs to determine the time line of when the features provided by the service were used. Log file naming schema follows this example format asl.221320_23feb12.log based on initial start up and system reboots. Photo Stream log entries provide more granular information on when photos are transferred plus the Bookmark log entries even disclose the primary Apple ID.

The preferences defined for each specific user who used the iCloud service can be found in this directory C:\Users\\AppData\Roaming\Apple Computer\Preferences. Specifically the mobilemeaccounts.plist file contains the account information along with configuration details on each service being used. Additionally the com.apple.dav.bookmark.msie.plist file is of interest as it lists what bookmarks are being transferred to Internet Explorer or Safari.

Media Stream artifacts are located in the C:\Users\\AppData\Roaming\Apple Computer\MediaStream folder. The root level contains a SQLite database called local.db that has the Apple ID plus locations where pictures are uploaded and downloaded on the system. The same path has a DL and UL folder with logs indicating dates and times that a specific number of files were uploaded/downloaded to the locations defined in the database. Each file is assigned a unique asset number like this 0142e0bf66ffe3f3ed826c51e6d3cc4f0eaad7db8d in the logs. It would be nice to determine the algorithm used by Apple, allowing the identification of images outside the defined locations if anyone happens to know?

At this time, there does not appear to be any application specific artifacts for Mail, Calendar, Contacts and Tasks in the iCloud service thus you should be able to use the forensic tool of choice to parse Microsoft Outlook information from the system.

Final artifact of interest is when the iCloud Control Panel is opened you are presented the option to manage the service storage. Looking at the Backups section may give you some insight on the number of mobile devices such as iPhones, iPads, and iPods that are archiving to iCloud with the last successful completion date.

Author Name
Frank McClain

Artifact Name
Dropbox Config Files (Windows)

Artifact/Program Version
Dropbox 1.1.35 (Windows)

Description
Dropbox is a file-synchronization, backup, and (even) sharing service.
It has applications that run on Windows ®, Mac, Linux, iPhone,
Android and Blackberry. Once downloaded and installed, their
application will run when the OS starts. It adds a systray item that
allows you to access the settings (‘Preferences’), and your files.
The application creates a ‘My Dropbox’ folder inside the user’s
‘My Documents’ folder, for local cached/offline copies of the
files (this default location can be changed). These will then synch
with the web storage and across all other computers connected to the
account that are online. Multiple computers can be connected to one
account; if these are on the same network, a feature called ‘LAN
synch’ allows them to communicate with one another directly when
synching files, in order to reduce bandwidth consumption (as a note,
the synch only transfers the data that is changed, not the entire
file).

Registry Keys
With a clean installation, there were 173 registry keys created and 58
values set (captured via Sysinternals ProcMon). During
uninstallation, there were 153 changes to the registry (logged with
regshot), including 49 deletions:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2\:
“{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3\:
“{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4\:
“{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Dropbox\InstallPath:
“C:\Documents and Settings\username\Application Data\Dropbox\bin”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\UninstallString:
“”C:\Documents and Settings\username\Application
Data\Dropbox\bin\Uninstall.exe”"
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\InstallLocation:
“C:\Documents and Settings\username\Application Data\Dropbox\bin”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\DisplayName:
“Dropbox”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\DisplayIcon:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\Dropbox.exe,0″
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\DisplayVersion:
“1.1.35″
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\URLInfoAbout:
“http://www.dropbox.com”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\HelpLink:
“http://www.dropbox.com”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\NoModify:
0×00000001
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\NoRepair:
0×00000001
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\Publisher:
“Dropbox, Inc.”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\*\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\Directory\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\*\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\Directory\Background\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\Directory\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”

File Locations
The majority of Dropbox’s configuration and user info are stored in
SQLite database files in %appdata% under the Dropbox directory.
config.db
filecache.db
sigstore.db
host.db
unlink.db
Two are not actually SQLite files: host.db (plain text) and unlink.db
(not sure?).

Config.db contains some info about the local Dropbox installation and
account. It shows what it calls the “host_id” which appears to be
an md5 hash value. It also lists the email address associated with
the account (could be useful during an investigation). Also shown is
the current version/build for the local application.

Filecache.db has several tables, but the one I think is of the most
interest is ‘file_journal;’ it contains a listing of all directories
and files inside ‘My Dropbox.’ It appears these are only the live
files, not deleted ones.

Sigstore.db records SHA-256 hash and size information about each file,
but no names etc.

These can be viewed with a SQLite viewer, or parsed with other
programs (see research links).

Inside the user’s Dropbox folder is a hidden directory,
.dropbox.cache. This contains a record of files created/modified (and
saved) on another linked system. There are copies of the files
themselves, for each revision/save, and an entries.log file that
appears to contain encoded information about each of those files.

Research Links





(some more research to be posted
soon)

Forensic Programs of Use
(not forensic, but good for
viewing the SQLite db files)
(haven’t tried it yet, may be able to parse deleted records from the
SQLite db files)

Other Info
The Dropbox Reader python scripts are handy to parse through the
SQLite db files quickly and get output that way, rather than trying to
load up individually in a viewer. They’re designed specifically to
work with Dropbox’s implementation, and present the information in a
more meaningful way.

I had some issues getting them to work properly and they were very
responsive and helpful. Apparently one of my files is a bit of an
oddball (missing some information) so it won’t parse correctly;
they’re working on a fix for that.