Artifacts

Posts Tagged ‘dropbox’


Cloud-based Forensic Artifacts: Dropbox

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
Dropbox 1.2

Description
Synchronizes designated directories to the cloud and other associated computers. Can be used for simple file sharing. Not specifically a backup service, but does maintain off-site copies of files, so it kind of qualifies. Runs on Windows, Mac, Linux, iPad, iPhone, Android, BlackBerry.

Current version of Dropbox makes use of encrypted SQLite DB files.

A sample of artifacts from the installation and use of Dropbox 1.2 on a system.  This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1

Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\21

File Locations
Application Data Files:  AppData\Roaming\Dropbox

Application Executable Files:  AppData\Roaming\Dropbox\Bin – Dropbox.exe

Sync/Backup Files:  %User%\Dropbox

Files of Interest

config.db, config.dbx, desktop.ini, filecache.dbx, host.db, sigstore.dbx, unlink.db, entries.log

Research Links

http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

Dropbox Config Files (Windows)

Posted by:  /  Tags: , , ,

Author Name
Frank McClain

Artifact Name
Dropbox Config Files (Windows)

Artifact/Program Version
Dropbox 1.1.35 (Windows)

Description
Dropbox is a file-synchronization, backup, and (even) sharing service.
It has applications that run on Windows ®, Mac, Linux, iPhone,
Android and Blackberry. Once downloaded and installed, their
application will run when the OS starts. It adds a systray item that
allows you to access the settings (‘Preferences’), and your files.
The application creates a ‘My Dropbox’ folder inside the user’s
‘My Documents’ folder, for local cached/offline copies of the
files (this default location can be changed). These will then synch
with the web storage and across all other computers connected to the
account that are online. Multiple computers can be connected to one
account; if these are on the same network, a feature called ‘LAN
synch’ allows them to communicate with one another directly when
synching files, in order to reduce bandwidth consumption (as a note,
the synch only transfers the data that is changed, not the entire
file).

Registry Keys
With a clean installation, there were 173 registry keys created and 58
values set (captured via Sysinternals ProcMon). During
uninstallation, there were 153 changes to the registry (logged with
regshot), including 49 deletions:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2\:
“{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3\:
“{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4\:
“{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Dropbox\InstallPath:
“C:\Documents and Settings\username\Application Data\Dropbox\bin”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\UninstallString:
“”C:\Documents and Settings\username\Application
Data\Dropbox\bin\Uninstall.exe”"
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\InstallLocation:
“C:\Documents and Settings\username\Application Data\Dropbox\bin”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\DisplayName:
“Dropbox”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\DisplayIcon:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\Dropbox.exe,0″
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\DisplayVersion:
“1.1.35″
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\URLInfoAbout:
“http://www.dropbox.com”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\HelpLink:
“http://www.dropbox.com”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\NoModify:
0×00000001
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\NoRepair:
0×00000001
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\Publisher:
“Dropbox, Inc.”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\*\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\Directory\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\*\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\Directory\Background\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\Directory\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”

File Locations
The majority of Dropbox’s configuration and user info are stored in
SQLite database files in %appdata% under the Dropbox directory.
config.db
filecache.db
sigstore.db
host.db
unlink.db
Two are not actually SQLite files: host.db (plain text) and unlink.db
(not sure?).

Config.db contains some info about the local Dropbox installation and
account. It shows what it calls the “host_id” which appears to be
an md5 hash value. It also lists the email address associated with
the account (could be useful during an investigation). Also shown is
the current version/build for the local application.

Filecache.db has several tables, but the one I think is of the most
interest is ‘file_journal;’ it contains a listing of all directories
and files inside ‘My Dropbox.’ It appears these are only the live
files, not deleted ones.

Sigstore.db records SHA-256 hash and size information about each file,
but no names etc.

These can be viewed with a SQLite viewer, or parsed with other
programs (see research links).

Inside the user’s Dropbox folder is a hidden directory,
.dropbox.cache. This contains a record of files created/modified (and
saved) on another linked system. There are copies of the files
themselves, for each revision/save, and an entries.log file that
appears to contain encoded information about each of those files.

Research Links





(some more research to be posted
soon)

Forensic Programs of Use
(not forensic, but good for
viewing the SQLite db files)
(haven’t tried it yet, may be able to parse deleted records from the
SQLite db files)

Other Info
The Dropbox Reader python scripts are handy to parse through the
SQLite db files quickly and get output that way, rather than trying to
load up individually in a viewer. They’re designed specifically to
work with Dropbox’s implementation, and present the information in a
more meaningful way.

I had some issues getting them to work properly and they were very
responsive and helpful. Apparently one of my files is a bit of an
oddball (missing some information) so it won’t parse correctly;
they’re working on a fix for that.