Cloud Forensics:Google Drive forensics with Paraben's E3

Cloud Forensics:Google Drive forensics with Paraben's E3

The scenario was pretty basic. I performed each and every of the following actions (wherever applicable):

Install native Google Drive app.

Execute the application and synced it with my Google Drive’s account.

The scope of this research was to locate those artifacts that could prove that the above actions were made from the user. Lets see how that went.

Paraben's Electronic Evidence Examiner 

Start Electronic Evidence Examiner.

Add Evidence

Add evidence (if you add evidence before creating or opening a new case, the case will be created automatically and saved to the default location. The name of the case file will be case.e3).

Add New Evidence

The Add New Evidence window opens.

Select the evidence category (Image File) and the Source type.

Navigate to the Evidence Source and select it. 

Enter the Evidence name (opened image name by default) and click OK.

Get OS info

Content Analysis

Google Drive Forensic Artifacts 

Directories created when Google Drive is installed
<SYSTEMROOT>\Program Files\Google\Drive	In this folder you will find the executable file of the application
<SYSTEMROOT>\Program Files (x86)\Google\Drive	Here you will find information about the updates of the application
<SYSTEMROOT>\Users\<username>\GoogleDrive	This is the default folder used for synchronizing the user’s files with Google Drive cloud service
<SYSTEMROOT>\Users\<username>\AppData\Local\Google\Drive	Here you will find all the native app’s files that store information about the app and the user’s data

<SYSTEMROOT>\Users\<username>\AppData\Local\Google\Drive

Event Log

Path: C:\Windows\System32\winevt\Logs\Application.evtx

Event ID: 1033

Event Description Summary: Windows Installer installed the product.

Provider Name: MsInstaller

Prefetch

Application Name: GOOGLEDRIVESYNC.EXE

File Path:C:\Windows\Prefetch\GOOGLEDRIVESYNC.EXE-XXXXXXXX.pf

C:\Users\\AppData\Local\ Google\Drive\user_default\snapshot.db This database stores information about the files that have been synced with the user’s Google Drive account.

C:\Users\\AppData\Local\G oogle\Drive\cloud_graph\cloud_graph.db This database also stores information about the files that have been synced with the user’s Google Drive account.

C:\Users\\AppData\Local\ Google\Drive\user_default\sync_config.db This database stores information such as user’s Google Drive account email.

C:\Users\\AppData\Local\ Google\Drive\global.db This database also stores information such as user’s Google Drive account email.

Lnk File

Windows 10 Activity Timeline > Advance Search

Registry

The installation of Google drive creates various keys and values inside the Registry. View the registry hives listed below in the forensic image of the suspect's hard disk.

• SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

• SOFTWARE\Google\Drive

• 
  NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveSync

Paraben's Electronic Evidence Examiner Investigative Report

อ่านเพิ่มเติม: Google Drive

CREDIT:  ARTIFACTS OF GOOGLE DRIVE USAGE IN WINDOWS

                 CLOUD FORENSICS GOOGLE DRIVE 

#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD 

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง ADMIN เพื่อแก้ไขต่อไป
ขอบคุณครับ