New Free Tool: Decrypting the Dropbox filecache.dbx file

Republished from the blog by Jad Saliba, Founder & CTO of Magnet Forensics (formerly JADsoftware)

I would like to introduce a new free tool we’ve just released to the forensics community called Dropbox® Decryptor. But first, some background.

Dropbox uses a file named filecache.dbx to store details about files that have been or will be synced to the Dropbox cloud. This file used to be a SQLite database (named filecache.db) and was easily viewed in a SQLite browser. In early 2012 Dropbox released an update that encrypted this file, and hence the new filename “filecache.dbx”.In mid-January of this year, we released IEF Triage v5.8 that added support for decrypting this file on a live system. Support will be added to IEF Standard for decrypting this file on a dead box (or forensic image) in the near future, but for now we wanted to release this free tool to allow you to decrypt these files on your own. The main limitation right now is that it only currently works on files obtained from a Windows XP or Vista system due to how Dropbox does the encryption. We hope to add support for Windows 7 when this capability is put into IEF.

So, on to the tool and how to use it! You’ll need to collect the following items first:

– The filecache.dbx file (located in [root]\Documents and Settings\username\Application Data\Dropbox on XP, or [root]\Users\Jad\AppData\Roaming\Dropbox on Vista)

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

– The entire Protect folder for that user (located in [root]\Documents and Settings\username\Application Data\Microsoft on XP, or [root]\Users\Jad\AppData\Roaming\Microsoft on Vista)

– A file containing the raw bytes from the Dropbox “Client” value under the “ks” key in the registry/NTUSER.dat file (full path is HKEY_CURRENT_USER\Software\Dropbox\ks)

– And finally, the user’s Windows login password

The dbx file and Protect folder are easy to grab, and you can use various registry viewers to pull out the Client value data. The file containing that data should look something like this:

Once you have those items, install and run the Dropbox Decryptor tool and point it at all the respective files or folders:

Click ‘Decrypt’ and you’ll get a filecache.db file saved in the output folder you specified which can then be opened by any SQLite browser. The ‘file_journal’ table is the one you’ll be most interested in:

TO REQUEST A DOWNLOAD of Dropbox Decryptor v1:
Please complete the form at:

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles