Blog >> Android Google Drive

Investigating Android Google Drive

24/05/2024 Friday

Android Google Drive is the application used to manage Google Drive accounts on Android devices. Google Drive is part of Google Workspace and it is a cloud storage that allows its users to store, organize and share files and folders from anywhere, on any device. With its automatic synchronization, files saved in Google Drive are accessible across all devices linked to the same Google account, ensuring data is always up-to-date and available from anywhere.

Digital Forensics Value of Android Google Drive

The artifacts generated by the Android Google Drive application offer a valuable source of information for forensic examiners. Forensic analysts can extract valuable data such as timestamps, file versions, sharing activity, and access logs, providing a detailed timeline of user actions and interactions. Additionally, metadata associated with stored files can offer insights into user behavior, patterns, and potential anomalies.

Location of Android Google Drive Artifacts

Android Google Drive artifacts can be found at the following locations:
*/com.google.android.apps.docs/databases/DocList.db
*/com.google.android.apps.docs/app_cello/*/cello.db

Analyzing Android Google Drive Artifacts with ArtiFast

This section will discuss how to use ArtiFast to extract Android Google Drive artifact from Android devices' files and what kind of digital forensics insights we can gain from the artifact.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Android Google Drive artifact parsers:

Once ArtiFast parsers plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Android Google Drive artifact in ArtiFast.

Android Google Drive Items

• Created Date/Time: The date/time when this item has been created.
• Modified Date/Time: The date/time when this item has been modified.
• Viewed By The User Date/Time: The date/time when this item has been viewed by the user.
• Shared With The User Date/Time: The date/time when this item has been shared with the user.
• Modified By The User Date/Time: The date/time when this item has been modified by the user.
• Email Address: The email address of the account holder.
• Title: The title of the item saved to the drive.
• MIME Type: The type of the data stored in this file.
• Quota Size: The size of the file.
• Item Type: Indicates whether this item is a file or folder.
• Is Owned By User: Indicates whether this item is owned by this device user or not.
• Is Trashed: Indicates whether this item is moved to the trash or not.
• Is Starred: Indicates whether this item is starred by the user or not.
• Is Hidden: Indicates whether this item is hidden or not.
• Owner: Item owner.
• Last Modifier Account Alias: Last modifier account name.
• Shared With Me Account Name: Account name that shared the item with user.
• Html URI: Item HTML URI.
• Shared: Indicates whether this item is shared or not.
• Can Edit: Indicates whether the user can edit or not.
• Is Local Only: Indicates whether or not the item is local.
• Can Trash: Indicates whether the user can trash or not.
• Starred: Indicates whether the item is starred or not.
• Can Copy: Indicates whether the user can copy or not.
• Can Download: Indicates whether the user can download or not.
• Can Delete: Indicates whether the user can delete or not.
• Deleted Forever: Indicates whether the item is deleted forever.
• Can Share: Indicates whether the user can share or not.
• Account ID: Account ID.
• ID: Item ID.
• Recency Time: Recency time.
• Resource ID: Resource ID.
• MD5 Checksum: Item MD5 checksum.
• Can Rename: Indicates whether the user can rename.
• Can Add Children: Indicates whether the user can add children.
• Can List Children: Indicates whether the user can list children.
• Can Print: Indicates whether the user can print.
• Sequence Number: Item sequence number.
• Entry ID: Item entry ID.
• Version Number: Item version number.

Android Google Drive Accounts

• Last Synchronization Time: The date and time when this account was last synchronized.
• Last Updated Time: The date and time when this account was last updated.
• Account Holder Name: The account holder's name.
• Account ID: The account ID.
• Is Synchronization In Progress: Indicates whether the synchronization process is in progress or not.
• Last Synchronization Sequence Number: The last synchronization sequence number.
• Total Available Space: The total available space for this account.
• Total Used Space: The total used space for this account.
• Account Type: The type of this account.
• Is Offline Policy Enabled: Indicates whether the offline policy is enabled or not.

For more information or suggestions please contact: kalthoum.karkazan@forensafe.com