Artifacts of Dropbox Usage on Windows 10 (Part 2)

The last part of Dropbox forensics is here. Today we will see what artifacts remain on Windows 10, after using Mozilla Firefox and Google Chrome to access this service. Once again, this research was made during spring of 2019, but due to the lack of blog then, the results are published now. This time I will write this post in another format. So without further due, lets jump into it.

My goal was to keep everything as clean as possible. The setup methodology I used was:

  • I installed Windows 10 Pro 16299 on a brand new VM (Base-VM, using VMware Workstation 14).
  • Created a couple of full-clones of the Base-VM.
  • Installed Mozilla Firefox (version 65.0.2 (64-Bit)) on one clone and Google Chrome (version 72.0.3626.121 (Official Build) (64-bit)) on the other clone.
  • Then I made an bunch of full-clones of the initial full-clones.
  • I performed a series of actions.
  • I acquired the virtual machine’s hard drive.
  • I examined the images.

Next I shortly describe the scenario of the research.

The scenario was pretty basic. I performed each and every of the following actions:

The scope of this research was to locate those artifacts that could prove the above actions were made from the user. Nonetheless, lets see how that went.

This time I will take for granted that you know where internet web history is stored, for the browser that you investigate for Dropbox usage. I examined Google Chrome and Mozilla Firefox in my research, but as far as URLs are concerned, any browser would store the same artifacts respectively.

DISCLAIMER: This research was conducted before Dropbox introduced the ability to create/edit online documents (similar to Google Docs feature), so artifacts may be different today.

Lets see how can we determine that a user created a file using a web browser. These artifacts were created when I did each of the action in bold.

Creating a New Document

FieldValue
URL (Both Chrome and Firefox)https://www.dropbox.com/ow/msft/edit/home/Document.docx?new=1
This URL will be found if the user has created a new document using the web browser
Title (Both Chrome and Firefox)Open Document.docx – Dropbox
The document’s name will be in the tile of this artifact. By default the document will have this filename until you rename it.
Is Typed (Firefox Only)No
Transition Type (Chrome Only)FORM_SUBMIT

Creating a New Presentation

FieldValue
URL (Both Chrome and Firefox)https://www.dropbox.com/ow/msft/edit/home/Presentation.pptx?new=1
This URL will be found if the user has created a new presentation using the web browser
Title (Both Chrome and Firefox)Open Presentation.pptx – Dropbox
The presentation’s name will be in the tile of this artifact. By default the presentation will have this filename until you rename it.
Is Typed (Firefox Only)No
Transition Type (Chrome Only)FORM_SUBMIT

Creating a New Spreadsheet

FieldValue
URL (Both Chrome and Firefox)https://www.dropbox.com/ow/msft/edit/home/Book.xlsx?new=1
This URL will be found if the user has created a new presentation using the web browser
Title (Both Chrome and Firefox)Open Book.xlsx – Dropbox
The spreadsheet’s name will be in the tile of this artifact. By default the spreadsheet will have this filename until you rename it.
Is Typed (Firefox Only)No
Transition Type (Chrome Only)FORM_SUBMIT

Pretty straightforward right? Well, for our second part, the artifacts of downloading a file using a web browser, were lying in the cache memory of each web browser. Each web browser creates several cache files, inside of which it stores its cache entries. Lets see what can the URLs stored inside cache tell us for the user.

Downloading a file using a web browser

FieldValue
URLs (Both Chrome and Firefox)The URL must begin with “https://www.dropbox.com/pri/get/TestFile.xls?_download_id=……” The first part of the bold string is the filename of the file being downloaded and the second one is the downloadID of this download.
URLs (Both Chrome and Firefox)The URL must begin with “https://www.dropbox.com/pri/get/InsideAFolder/ TestPicture.jpeg?_download_id=……” Similar to the previous artifact, however the only difference here was that the file was inside another folder and not the root directory of the user’s Dropbox .

And with that said, for the last part of this post, we will see the artifacts that prove a user viewed a file using a web browser. Once again, those artifacts reside in the file where each browser store its web history.

FieldValue
URL (Both Chrome and Firefox)https://www.dropbox.com/home?preview=testTxt.txt
This URL will be found if the user has viewed a file using the web browser. If the file is inside another directory other than root, the folder name will be found in a format similar to this:
https://www.dropbox.com/home/InsideAFolder?preview=testTxt.txt
Title (Both Chrome and Firefox)testTxt.txt
The filename of the file being viewed will be in the tile of this artifact.
Is Typed (Firefox Only)No
Transition Type (Chrome Only)LINK

Well those URLs can tell us something for the user interaction with the cloud service, even if we found no actual files in our investigation. I want to point out one last thing. Before uploading those files on Dropbox, I calculated their MD5 hash. After downloading those files from Dropbox, I did the same. Comparing those files, I found that all of their MD5 hashes were the same, but their “File System MACb” timestamps where different. Of course, no surprise here but just wanted to underline that hashes remain intact.

This was the second part of Dropbox forensics. As I said in part 1, I know for sure that Dropbox has introduced some new features. How many of the above-mentioned artifacts remain the same, has to be put to the test. I was thinking of performing a new research on how these artifacts changed, but I am not sure. Would you like to see another research on Dropbox? If you have ideas on a particular research topic, use the Contact form to share your ideas with us. Until then, be safe and keep doing the best you can with what you have!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.