The Senator Patrick Leahy Center for Digital Investigation
Date (July 12, 2012)
1.1 Research Problem
Dropbox is a service that is used by over 50 million people. This service allows for users to backup files to the internet and to share them to other people. The growing popularity of this service almost guarantees that it will be used to backup or transfer files that are relevant to an investigation. The Dropbox application creates artifacts on a system that may provide pertinent information. The Dropbox servers store many useful logs in regards to account history and a user’s file history. Obtaining these artifacts and log files could provide an investigator with the evidence he or she is looking for.
1.2 Field of Research
This research project will attempt to discover what evidence can be gathered from Dropbox. This includes evidence that is located on the computer(s) the Dropbox application was installed on as well as evidence that can be gathered from the webportal.
1.3 Research Questions
1. What artifacts are created during the installation process?
2. What artifacts are left behind after Dropbox is uninstalled?
3. What information can be gathered from the Dropbox database files?
4. What artifacts are created when a file is uploaded or downloaded?
5. What evidence is there when a file is shared using Linking or a Shared Folder?
6. What logs does Dropbox create and how accurate are they?
7. Are there any other sources of information relating to Dropbox?
1.4 Tool List
· Dropbox - Dropbox.com
· Winhex - winhex.com/winhex
· Hexedit - hexedit.com
· Guidance Software’s Encase 6.19 - guidancesoftware.com
· VMware - vmware.com
· ProcessMonitor - download.cnet.com/Process-Monitor/3000-2094_4-10603966
· Regshot - sourceforge.net/projects/regshot
· Wireshark - wireshark.org
· Python - python.org
· Windows 7 - windows.microsoft.com/en-US/windows7/products/home/
· Chrome - google.com/chrome
· Internet Explorer - windows.microsoft.com/en-us/internet-explorer/products/ie/home/
2 Evidence Locations
2.1 Web Portal
The web portal is the online form of Dropbox. This can be accessed by any computer with internet access, account information, and correct login information. All of the features in this section are only available through the webportal and cannot be discovered by investigating an image of the computer’s hard drive.
2.1.1 File Viewing
The default screen after logging in to the Dropbox website is the file viewer. This screen shows all folders in alphabetical order followed by all files in alphabetically order.
This image shows several different directories as viewed through the web portal. The leftmost column is an icon that is based on the file extension. The kind column is based on file extension and can be spoofed. The Modified column is taken from the MACE values and can be spoofed as seen by the purple highlight. The last column isn’t labeled but shows a paperclip if the user generated a URL link for public viewing.
The webportal also allows the user to view deleted files via the highlighted button.
The greyed out files are deleted files that are seen using the “view deleted files” feature.
2.1.2 Event Log
The Dropbox Event log tracks all of the activity that is connected to that account. It says which account did the action, what the action was, what the target of the action was and the time of the action. Dropbox will group actions that took place in the same sync and only write one entry. The timestamp shows the time an action ended. If the file(s) are particularly large or numerous, or the syncing process is interrupted this can cause the timestamps to be off by significant amounts of time.
This is an example event log.
2.1.3 Previous Versions (Version History)
This is a feature that allows a user to restore a file to a previous version. This feature considers a file to be anything with the same folder path, name, and extension. Each entry shows the name of the user who did the editing. This is followed by the method, which is “web” if a browser was used, or the computer name if a computer was used. The next column is the time of the change, which contains the same inaccuracies as the Event Log. The last column displays the size of the file.
The following image shows the history of “Calvin.jpg”.
2.1.4 Permanent Deletion
A file that is deleted using either the web portal or the Dropbox application will still have a copy that is available online. A deleted file still has version history and can be restored. However, a user may select a file and use a feature called “Permanently Delete”. This feature will stop that file from being viewable. This feature will also delete any entries in the event log that mention that file. This cannot be undone and is hard to detect. After a page in the event log gets full and has a full page between it and the newest page no more entries will be added to it. If some or all of the entries on that page are deleted through the permanent delete feature then that page will stay half or fully empty. These pages are proof that the files were permanently deleted.
The following picture is of an event log page that had 28 entries before a mass permanent deletion.
2.1.5 Linked Files and Folders
Dropbox has a feature that allows the user to generate a URL link to a file or folder. Anyone with a web browser can go to the link and download the files. Dropbox will display any images or text files that are of a recognized format. Directories that had a URL link created for it have a paperclip icon next to it indicating it is linked. There is no way to know if a file is being viewed or downloaded without access to the viewing/ downloading computer.
Default view of two folders. The top had a sharing URL created, as shown by the highlighted paperclip icon.
That folder viewed by a computer that does not have Dropbox installed and was not logged in to Dropbox.
2.2 Artifacts Location on a Computer with Dropbox Installed
2.2.1 Dropbox Main Folder
The location for the Dropbox main folder is C:\Users\username\Dropbox. This folder is the primary feature of Dropbox and it contains files that have been uploaded or downloaded from the cloud. If viewed using the computer and Dropbox is running there will be icons in the bottom left of the files indicating their sync status
This is a folder that is hidden and treated as an important operating system file. Its path is C:\Users\username\Dropbox\.dropbox.cache. This file is where the segments of files that are being downloaded are stored. These files have a seemingly random name and are compressed; making gaining information about the file they are part of impossible. After the last segment finishes downloading they are combined into a .tmp file that contains the datafield of the original file but a seemingly random name. This file is normally deleted and replaced by the downloaded file in the main folder instantly, making capturing this file intact difficult.
220.127.116.11 Recovering Deleted files
If a file is deleted by a different computer attached to the same account while both computers are connected to the Dropbox cloud, a folder will be created whose name is the date.
The highlighted folder is an example of a folder containing files deleted on the tenth of July, 2012.
All of the files deleted on that date will go in that file. Each folder has a file called “entries.log”. This file contains information that I cannot parse, but it appears to be based on filename and grows by one to two lines per new file added. The deleted files have “(deleted hexadecimalnumber – hexadecimalnumber – hexadecimalnumber)” added to the end of the filename. The first number is the modified time from the MACE file attributes which is then converted into UNIX Time and displayed in hexadecimal notation. The second number is the file size in bytes displayed in hexadecimal notation. The third number acts like a hash though I do not know the algorithm. Dropbox will purge these folders every three days according to the forums, and my research doesn’t disagree.
This is a screen shot taken from the deleted files folder. The highlighted file is the entries file.
The first three files are completed downloads. They are empty test files. The next three are segments of a larger download.
2.2.3 Dropbox Hidden Folder
During installation Dropbox will create a folder at C:\Users\username\AppData\Roaming\Dropbox. This folder contains the .exes and .dlls that allow the Dropbox application to work. The main folder has database files. Research suggests that they are or were SQLite 3, but all attempts to parse them have failed. There are also files with names that seem random, have no extension, or parseable datafields.
2.3 Further Research Topics
· Multiple computers can share one Dropbox account. Can the existence of other computers be determined, how much information can be gained about them?
· What artifacts are left by network sharing?
· What information can be gathered on the other accounts sharing a folder?
· Is there a reliable way to recover deleted or temporary files?
· How can the account that was attached to a unlinked computer be determined?
For the full detail report on this project please go to the LCDI’s homepage, www.LCDI.chmaplin.edu and click "Resources" or email LCDI if you have any comments, questions and/or suggestions LCDI@champlain.edu, with “Dropbox Forensics” in the subject.