Thursday, February 17, 2022

Cloud Forensics:Google Drive forensics with Paraben's E3

Cloud Forensics:Google Drive forensics with Paraben's E3


The scenario was pretty basic. I performed each and every of the following actions (wherever applicable):

Install native Google Drive app.

Execute the application and synced it with my Google Drive’s account.

The scope of this research was to locate those artifacts that could prove that the above actions were made from the user. Lets see how that went.

Paraben's Electronic Evidence Examiner 

Start Electronic Evidence Examiner.


Add Evidence
Add evidence (if you add evidence before creating or opening a new case, the case will be created automatically and saved to the default location. The name of the case file will be case.e3).
Add New Evidence
The Add New Evidence window opens.
Select the evidence category (Image File) and the Source type.

Navigate to the Evidence Source and select it. 
Enter the Evidence name (opened image name by default) and click OK.

Get OS info

Content Analysis





Google Drive Forensic Artifacts 

Directories created when Google Drive is installed

<SYSTEMROOT>\Program Files\Google\Drive

In this folder you will find the executable file of the application

<SYSTEMROOT>\Program Files (x86)\Google\Drive

Here you will find information about the updates of the application

<SYSTEMROOT>\Users\<username>\GoogleDrive

This is the default folder used for synchronizing the user’s files with Google Drive cloud service

<SYSTEMROOT>\Users\<username>\AppData\Local\Google\Drive

Here you will find all the native app’s files that store information about the app and the user’s data


<SYSTEMROOT>\Users\<username>\AppData\Local\Google\Drive

Event Log
Path: C:\Windows\System32\winevt\Logs\Application.evtx
Event ID: 1033
Event Description Summary: Windows Installer installed the product.
Provider Name: MsInstaller

Prefetch
Application Name: GOOGLEDRIVESYNC.EXE
File Path:C:\Windows\Prefetch\GOOGLEDRIVESYNC.EXE-XXXXXXXX.pf

C:\Users\\AppData\Local\ Google\Drive\user_default\snapshot.db This database stores information about the files that have been synced with the user’s Google Drive account.

C:\Users\\AppData\Local\G oogle\Drive\cloud_graph\cloud_graph.db This database also stores information about the files that have been synced with the user’s Google Drive account.
C:\Users\\AppData\Local\ Google\Drive\user_default\sync_config.db This database stores information such as user’s Google Drive account email.

C:\Users\\AppData\Local\ Google\Drive\global.db This database also stores information such as user’s Google Drive account email.
Lnk File

Windows 10 Activity Timeline > Advance Search

Registry

The installation of Google drive creates various keys and values inside the Registry. View the registry hives listed below in the forensic image of the suspect's hard disk.

  • SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
  • SOFTWARE\Google\Drive

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveSync

Paraben's Electronic Evidence Examiner Investigative Report


อ่านเพิ่มเติม: Google Drive

                 CLOUD FORENSICS GOOGLE DRIVE 

#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD 


หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง ADMIN เพื่อแก้ไขต่อไป
ขอบคุณครับ

No comments:

Post a Comment