I have the users computer...actually playing around with my own to see if there is some way to solve this. Â
I can see activity to google drive, docs and gmail...but this should apply to other cloud storage as well.
In this example, I created and edited a document within the google drive environment.
The URL string looks something like this: _htt_ps://docs.google.com/document/d/1fHkKMUxgvu7gLJKZNxz5SmM6riGstZxQrFAcSjmtRgK/edit
minus the _ of course as I didnt want to post a clickable link.
what an investigator would be looking to do is decrypt that string between the /d/<encrypted filename>/edit
If possible, you could easily see the filenames that were accessed in a google drive for example
Also, to add to this...you can click send shareable link...the encrypted string is the same that you would send an external party
This is a clue anyway of where to possibly start, or stop I suppose, given that it is probably not a locally stored google token and may not be possible at all if it is something generated on the google side only to link to a file/folder
I would think it would be impossible to decrypt (except maybe with a truly massive rainbow table).
Code to make the ID is likely something like this,
$document_id = base64url_encode(hash('sha256', "FileName.txt", true)); function base64url_encode($data) { $b64 = base64_encode($data); $url = strtr($b64, '+/', '-_'); return $url; }
This is just a guess, I don't really know. But if it was like this, reversing a SHA256 hash just isn't possible, unless the file name was something really short like "a.txt".
But it is probably even worse than the above example as they might be salting the hash, or including the full document path as part of the file name, in which case even the trivial case would be impossible to decode. Or it might not be the file name at all. Just some internal document ID number.Â
An easy test would be to,
1) Create a document, note the URL. Delete it and recreate it with the same name again. Do you get the same URL for the 2nd instance of the document, if it has the same name?
2) Create a document, note the URL. Rename the document. Does the original URL still work?
Â
Â
Â