Notifications
Clear all

Dropbox

5 Posts
4 Users
0 Likes
525 Views
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Hi, am looking at an image of a Win7 Enterprise SP1 system, user account is a domain account and I don't have the login password.

There is evidence of Dropbox on the image
C\Users\username\Dropbox

And in there is .dropbox.cache folder which contains 13 files with apparently random filenames e.g. W_PvX38y0_XzUMwFv85afArXtyBNVLKNK5GuejANCi8. 9 of these files 1re 4,098 KB, 3 are a tad under or over 4000KB, and the final one is 2945KB. The most recent modifed timestamp is 2nd June 2013. We also have a $30 but nothing else.

There is no other sign of Dropbox in the AppData folder, or anywhere else on the C drive.

UserAssist shows no sign of Dropbox, nothing in PreFetch, and nothing found by any of these RegRipper plugins UserAssist, soft_run, comdlg32, appcompatcache, appcompatflags, muicache, runmru

I run Dropbox 2.10.3 on the my system with the same OS, but the Dropbox artefacts on my system are in a different location i.e. C\Users\username\AppData\Roaming\Dropbox - and the artefacts are different
Folders
bin
installer
instance1
instance_db
l
logs
shelletc

Files
$30
$TXF_DATA
host.db
host.dbx
info.json
unlink.db

I've had a scour around here and on my friend Google but - although I was fairly sure I'd seen this discussion before - I could only find reference to Magnet's Dropbox Decryptor (but it wants to analyse files I don't have e.g. filecache.dbx), and cybermarshal's Dropbox Reader (which needs the login password).

Is there a way to analyse the Dropbox artefacts I'm looking at on this image?

Cheers

 
Posted : 28/07/2014 6:36 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Dropbox Decryptor
http//www.magnetforensics.com/dropbox-decryptor-a-free-digital-forensics-tool/

 
Posted : 28/07/2014 9:50 pm
Bendroid
(@bendroid)
Posts: 35
Eminent Member
 

@Igor - read again P

@OP I can only assume there was an older version of Dropbox with difernt file formats, but that's just a guess, me no Dropbox expert.

 
Posted : 29/07/2014 2:54 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

The dropbox.cache folder contains encrypted files, the below is a quote from Jad (Magnet forensics) regarding a query I sent him about those files..

In regards to the files in the Dropbox cache folders, they appear to be encrypted files and I’m not sure if there’s a way to decrypt them. The methods we use for the databases don’t work on these files.

It would be worth trying Magnet Forensics IEF and letting it do a complete search on the disk image directly and see what can be located. You can get a 15 day trial of IEF from memory.

 
Posted : 29/07/2014 11:11 am
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

@Igor - read again P

Indeed!

@OP I can only assume there was an older version of Dropbox with difernt file formats, but that's just a guess, me no Dropbox expert.

Thanks, I was guessing that was the case but didn't find any reference (although I'm sure I'd seen a discussion somewhere - I thought on here - on this very topic in the last couple of months.

It would be worth trying Magnet Forensics IEF and letting it do a complete search on the disk image directly and see what can be located. You can get a 15 day trial of IEF from memory.

Thanks I'll give that a try

Cheers

 
Posted : 30/07/2014 1:20 pm
Share: