Reviewing Google Dr...
 
Notifications
Clear all

Reviewing Google Drivesync Files

4 Posts
2 Users
0 Likes
531 Views
(@codyf)
Posts: 7
Active Member
Topic starter
 

Hi,

First post here. Hoping to get some help with Google Docs.

Background Have a computer that had Drivesync enabled for the subject's Google Docs account. Chrome stores the files locally in an HTML5 FS under

\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\File System\

Locally stored Google doc files are in a proprietary format that isn't recognized by any forensic software I've tried (EnCase 7.10.05, X-Ways 18.4), IEF 6.7 doesn't pick up any Google Drive artifacts at all.

Subject computer is operating Windows 10.

So far I've tried

-Exporting the HTML5 FS structure and opening it externally with Chrome using HTML5 File System Explorer (Chrome extension). No luck, though I haven't written this method off yet.

-Converting the disk image into VMDK and booting the system in a VM to try and access the files natively. Unfortunately the machine is password protected and the account is a Microsoft Live account, so I am unable to re-set the subject account password using a local administrator account.

-I can export all the Google Doc files, but I do not recognize the format and thus cannot open them in anything. To my eye they look like a proprietary compressed format but that's a guess.

The subject(s) are non-cooperative, so no chance in getting any help from them.

Any help or insight anyone can provide would be greatly appreciated.

 
Posted : 22/10/2015 10:37 pm
 MGar
(@mgar)
Posts: 3
New Member
 

Hello,

I am currently running into the same problem. I found this site that may provide some further guidance to your problem set

http//bitforensics.blogspot.com/2012/12/google-drive-artifacts-explained.html

I'm still working the same problem set so we are in the same boat. I'll try to share any problems I run into as I look through the image.

Of note, you will need to know how to use SQLite DB Browser as well.

If anything I've said is wrong, please advise immediately.

Thanks

 
Posted : 19/11/2015 5:24 pm
(@codyf)
Posts: 7
Active Member
Topic starter
 

Hey,

Thanks for the reply.

So far I've attempted to reconstruct the HTML5 FS in a clean environment as well as examining a test environment where I have access to all the files, but haven't made any useful progress.

Unfortunately I'm getting pretty close to the point where the time I'm spending on it is becoming counter-productive, so I doubt I'm going to spend a lot more effort on it at this time.

I talked to Jad (from IEF) about the issue and he said it's something they'll look into, so hopefully we'll have some better tool support for Google Drive artifacts in the future.

In the meantime if anything comes up I'll certainly post it.

 
Posted : 19/11/2015 8:22 pm
 MGar
(@mgar)
Posts: 3
New Member
 

Hey All,

I had problems with this as well. Doing open source research in order for Google Drive to work, 2 separate database files need to be on the system (snapshot.db and synch_config.db) which would be resident on the host system. I also exported the last possible Volume Shadow Copy with no success in searching/exporting these databases.

Here is the link http//bitforensics.blogspot.com/2012/12/google-drive-artifacts-explained.html

Hopefully this helps. As a newby, I can understand any frustration.

Thanks for all the replies as well.

MGar

 
Posted : 25/11/2015 10:07 pm
Share: