Cloud Forensics:Google Drive

Cloud Forensics:Google Drive

 วันนี้มาทดสอบการตรวจหาร่องรอยจาก GOOGLE DRIVE จากเครื่องคอมพิวเตอร์โดยพิจารณาจากอะไรบ้าง

ขั้นแรกทำการใช้โปรแกรม FTK Imager ทำสำเนาหลักฐานจากเครื่องคอมพิวเตอร์เป้าหมาย  ได้เป็น Forensic Image file ชื่อ CF009.E01 

Acquiring Disk Image with FTK Imager

Run Autopsy 4.15 and select New Case.

Provide the Case Name and the directory to store the case file. Click on Next.

• Choose the required data source type, in this case Disk Image and click on Next.
• Give path of the data source and click on Next.
• You reach here once all the modules have been ingested. You can begin begin investigating but i recommend waiting until analysis and integrity check is complete.

Google Drive Forensic Artifatcs 

Directories created when Google Drive is installed
<SYSTEMROOT>\Program Files\Google\Drive	In this folder you will find the executable file of the application
<SYSTEMROOT>\Program Files (x86)\Google\Drive	Here you will find information about the updates of the application
<SYSTEMROOT>\Users\<username>\GoogleDrive	This is the default folder used for synchronizing the user’s files with Google Drive cloud service
<SYSTEMROOT>\Users\<username>\AppData\Local\Google\Drive	Here you will find all the native app’s files that store information about the app and the user’s data

Registry 

The installation of Google drive creates various keys and values inside the Registry. View the registry hives listed below in the forensic image of the suspect's hard disk.

    SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

    SOFTWARE\Google\Drive

    NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveSync

 From the Registry we can obtain the installed version and the user folder.

Let’s check the Registry to see if the sync process starts automatically with the user’s login. The right key to view here is NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run

 

Event Log

Path	<SYSTEMROOT>\Windows\System32\winevt\Logs\Application.evtx
Event ID	1033
Event Description Summary	Windows installer installed the product
Provider Name	MsInstaller
Event Data	Among others “<EventData> <Data> Backup and Sync From Google3.43.2448.907110330Google,Inc.(NULL)</Data>”

Prefetch

Windows stores Prefetch files at <SYSTEMROOT>\Windows\Prefetch.

WinPrefetchView

LNK (Shortcut) Files

• <SYSTEMROOT>\Users\<username>\Desktop\Google Drive.lnk
•  <SYSTEMROOT>\Users\<username>\Links\Google Drive.lnk
• <SYSTEMROOT>\ProgramData\Microsoft\Windows\Start Menu\Programs\Google \Drive\Google Drive.lnk

You can parse each of these lnk files with Eric Zimmerman's LECmd for detailed information. A truncated output is shown below.

Web-browsing history

You can find an SQLite database with browsing history under C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default.

The Log File

You can obtain information about the client sync session from the sync_log.log file located at <SYSTEMROOT>\Users\<username>\AppData\Local\Google\Drive\user_default. 
Database Artifacts

Database Artifacts

<SYSTEMROOT>\Users\<username>\AppData\Local\ Google\Drive\user_default\snapshot.db

<SYSTEMROOT>\Users\<username>\AppData\Local\Google\Drive\user_default\sync_config.db

 <SYSTEMROOT>\Users\<username>\AppData\Local\Google\Drive\cloud_graph\cloud_graph.db

 <SYSTEMROOT>Users\<username>\AppData\Local\Google\Drive\global.db

 snapshot.db

 Sync_config.db

• Client version installed
• Local sync root path
• User email

Credit:  ARTIFACTS OF GOOGLE DRIVE USAGE IN WINDOWS

                  cloud forensics google drive 

#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD 

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง ADMIN เพื่อแก้ไขต่อไป
ขอบคุณครับ