Hi, am looking at an image of a Win7 Enterprise SP1 system, user account is a domain account and I don't have the login password.
There is evidence of Dropbox on the image
C\Users\username\Dropbox
And in there is .dropbox.cache folder which contains 13 files with apparently random filenames e.g. W_PvX38y0_XzUMwFv85afArXtyBNVLKNK5GuejANCi8. 9 of these files 1re 4,098 KB, 3 are a tad under or over 4000KB, and the final one is 2945KB. The most recent modifed timestamp is 2nd June 2013. We also have a $30 but nothing else.
There is no other sign of Dropbox in the AppData folder, or anywhere else on the C drive.
UserAssist shows no sign of Dropbox, nothing in PreFetch, and nothing found by any of these RegRipper plugins UserAssist, soft_run, comdlg32, appcompatcache, appcompatflags, muicache, runmru
I run Dropbox 2.10.3 on the my system with the same OS, but the Dropbox artefacts on my system are in a different location i.e. C\Users\username\AppData\Roaming\Dropbox - and the artefacts are different
Folders
bin
installer
instance1
instance_db
l
logs
shelletc
Files
$30
$TXF_DATA
host.db
host.dbx
info.json
unlink.db
I've had a scour around here and on my friend Google but - although I was fairly sure I'd seen this discussion before - I could only find reference to Magnet's Dropbox Decryptor (but it wants to analyse files I don't have e.g. filecache.dbx), and cybermarshal's Dropbox Reader (which needs the login password).
Is there a way to analyse the Dropbox artefacts I'm looking at on this image?
Cheers
Dropbox Decryptor
http//
@Igor - read again P
@OP I can only assume there was an older version of Dropbox with difernt file formats, but that's just a guess, me no Dropbox expert.
The dropbox.cache folder contains encrypted files, the below is a quote from Jad (Magnet forensics) regarding a query I sent him about those files..
In regards to the files in the Dropbox cache folders, they appear to be encrypted files and I’m not sure if there’s a way to decrypt them. The methods we use for the databases don’t work on these files.
It would be worth trying Magnet Forensics IEF and letting it do a complete search on the disk image directly and see what can be located. You can get a 15 day trial of IEF from memory.
@Igor - read again P
Indeed!
@OP I can only assume there was an older version of Dropbox with difernt file formats, but that's just a guess, me no Dropbox expert.
Thanks, I was guessing that was the case but didn't find any reference (although I'm sure I'd seen a discussion somewhere - I thought on here - on this very topic in the last couple of months.
It would be worth trying Magnet Forensics IEF and letting it do a complete search on the disk image directly and see what can be located. You can get a 15 day trial of IEF from memory.
Thanks I'll give that a try
Cheers