Not sure if everyone knows this but in the Windows 10 Update v1709, there is a OneDrive setting that allows the user to only download files upon opening, but OneDrive will put a place holder for that file if it only synced but hasn’t been used.
https://
Interestingly enough, if you are doing an analysis and notice that a file in the OneDrive folder is all zeros in hex view, this is likely the culprit. I initially noticed this when I used EnCase to hash all my files and then created a MD5 list of a OneDrive folder and noticed SEVERAL files with no MD5 values, which were also all zeros in hex view. So if you create a MD5 list and then review it in Excel, it appears that anything with a blank MD5 value will NOT be on disk and in the cloud only.
The setting for that flag is here
\Users\<USER>\AppData\Local\Microsoft\OneDrive\settings\Business1\global.ini
And look for SavedPlaceholdersEnabledState = true
If it is true, then Files On-Demand is turned on. If false, then all of the files should physically be on the disk.
There is also a Windows OneDrive setting (right-click) to “Always keep on this device” which should physical place the file on disk, but I do not know where that setting flag is. I assume it is in a .dat file of some sort. The user can also manually select a OneDrive file that is physically on-disk and make in online-only again by using the right-click option on a file to “Free up space”. This leads to the file placeholder being all zero again in hex.
HOWEVER, there is also a Windows 10 setting called “Storage sense” that if it is turned on, it COULD make the file back to “Online only” after 30 days on non-use. However this time period can be changed by the user
https://
Storage sense registry settings at the end of this article
https://
NOTE This Storage sense setting can also auto-delete files from the Downloads folder and Recycle Bin WITHOUT user interaction. HOWEVER, the user can also trigger a cleanup at any time.
So the old days of “if it is in the cloud, it should be synced to disk” or “bulk deletion is suspicious” require a deeper look at settings.
Does anyone know if the other cloud storage services allow for this?
We added a whole new cloud section into the FOR500 class to cover exactly this
You can check out