A write-up about some forensic aspects of online storage/file-synching service Dropbox™

Cloud-based services are becoming more prevalent, and not just for businesses – end- and home-users are taking advantage of opportunities to automate backups, make files available offline or from any computer, share files and photos, and so on. Many of these services are free or very low cost, even for several GB of storage space. With smartphone apps allowing an even greater level of access, it almost becomes a no-brainer for people who want to be able to get at their files from anywhere. Of course, this leads to thoughts of forensic implications since, well, that’s what I do.

So let’s say we have a typical IP theft scenario, where someone leaving a company is suspected of taking the ‘secret sauce’ with them. In the past we’ve considered transfer methods such as USB devices, optical media, local email, webmail, and even printing files. Perhaps a file-sharing site here and there. But with cloud services, files can be replicated to the web and accessed by the user anyplace, anytime. This could even occur without an obvious, deliberate attempt to take the data; after all, with automatic synching the files are in the cloud anyway.

The services that provide synch or other automated capabilities will have some application on the local system that creates a connection to the web storage account, runs the synch or backup, and allows the user to interact with the files. Some, if not all, of these can be run from multiple systems to access the same web storage account. Quite naturally, I have used some of these myself, one in particular being Dropbox™. I was poking around in the web portal for my account some time back, and happened across some interesting things which I thought had forensic implications; this lead to some testing, research, and this article.

How Dropbox™ works

So here’s a little overview of Dropbox ™… It has applications that run on Windows ®, Mac, Linux, iPhone, Android and Blackberry; for the purposes of this article, I am focusing solely on Windows ®. You sign up for the service, which is free to store up to roughly 2GB of data. You’re provided the opportunity (and prompted to do so) to download and install their little application; this by default will run with when the OS starts. This also adds a systray item that allows you to access the settings ('Preferences'), and your files. The application creates a ‘My Dropbox’ folder inside the user’s ‘My Documents’ folder, for local cached/offline copies of the files (this default location can be changed). These will then synch with the web storage and across all other computers connected to the account that are online. Multiple computers can be connected to one account; if these are on the same network, a feature called ‘LAN synch’ allows them to communicate with one another directly when synching files, in order to reduce bandwidth consumption (as a note, the synch only transfers the data that is changed, not the entire file).

Interesting/Unique features

In their FAQ, they discuss how to recover files that you’ve deleted, or revert/recover from undesired changes to a file. Turns out when you delete a file from your computer or the web portal, it’s not really gone. Well, we “forensicators” (to use the SANS ™ lingo) already knew that files deleted from a system were not actually gone, but from a web portal, too? So it turns out that it keeps the file around in a sort of live deleted state until permanently deleted (hmm, does this count against storage capacity?) or recovered (time frame is actually only 30 days for a free account). Said permanent deletion or recovery appears to occur only within the web portal. I have tested the local wiping of a file, which should remove all traces of it from the local system, only to find that it still exists in a deleted (but recoverable) state online. When you change a file, you can still go back to a previous version, using their version history/control feature. This is also for a limited time period with a free account (30 days); and unlimited with a paid account.

The deleted items can be accessed by clicking the ‘Show deleted files’ button at the top of the list of files for that directory. This button is only available if deleted files exist within that directory.

(Deleted Files Button)

The deleted files can then be seen; they appear in a lighter text, almost grayed-out. However, they can still be clicked on and selected; the file will even open or download. You will note that the numerical size value has been replaced with ‘deleted.’

(Deleted File)

Once selected (check the box) they can be recovered or permanently deleted. These features are accessed from the ‘More actions’ button (with dropdown menu).

(More Actions Menu)

There are a number of other options available in this menu, depending on the file selected. You will note that the ‘Previous versions’ option is available here; that shows up even if the current version is the only version. If multiple versions are available, clicking on this will give you the ability to recover previous ones. The whited-out area in the following screenshot actually gives the machine name of the system used for each version of the file (which I’m just paranoid enough not to put in a document to be published on the internet).

(File Versions)

These findings led me to think about scenarios in which this knowledge might become useful. What if someone stole data from their employer this way? What if they did so and tried to cover their tracks? We’ll look at each of those possibilities a little bit.

What if someone stole data and transferred it using their Dropbox ™ account? How could that be accomplished, and what evidence would that leave behind? There’s a number of ways that the data could be uploaded – local application synching to server or direct upload to server would be the most common, and would leave plenty of artifacts, at least under normal circumstances (LNK files, web history, access dates, userassist, etc). There may be some other, more arcane, ways to transfer data to Dropbox ™ though, including sending files via email, and synching IM chat logs. I have not done any testing into those and so cannot comment as to the existence, functionality or efficacy thereof.

This type of investigation would seem to be fairly straightforward, though. Someone has allegedly taken data without authorization, their system is imaged and Dropbox ™ is found to be installed. LNK files, UserAssist, and web history artifacts all point to an upload to the web. In addition (just to make it really easy) the investigation shows that the application is still installed, set to run on startup, and automatically logs into the web portal.

But what if an attempt was made to cover tracks, to foil the “lethal forensicator” (another use of SANS ™ terminology)? This is where we start digging deeper. Where is Dropbox™ installed? What changes are made to the registry on installation? What about network activity (it uses the internet, after all)? These and other questions are coming up next…