Box Blog

Investigating Box

27/05/2021 Thursday

Box is a cloud computing service that offers file sharing, collaboration, and cloud storage. In addition, it allows users to share information with other users and manage content across devices. Box was founded in 2005 and is available in several platforms such as for Windows, macOS, and several mobile platforms.

Digital Forensics Value of Box Artifacts

Box artifacts provide information about data and files that users upload and share with other users as well as the app configuration. This information is critical during the digital forensic analysis, as it helps us understand the types of artifacts that are likely to remain for digital forensics investigators.

Location of Box Artifacts

In Windows 10 Box artifacts are located at C:\Users\%username%\Box

Structure of Box Artifacts

Box artifact consists of a database and log files. The logs contain information about network connection, the application launch times, file IDs of the files being edited, whether the files were updated successfully, and the user’s action. On the other hand, the database streemfs.db contains information about Box files, cache files, and virtual files.

Analyzing Box Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to analyze Box artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select Box artifacts:

ArtiFast can analyze Box FS Nodes, Preference, Local Items, Items, Local Events, and Logs. For demonstration purposes, all artifacts have been chosen but you have the option to parse artifacts individually as well.

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Box artifacts in ArtiFast software.

Box FS Nodes Artifact

Last Consistent Size - Size in bytes at the last consistent state.
Creation Date - The date and time an item was created.
Item Last Access Date - The date and time an item was last accessed.
Item Name - Item name.
Parent Folder - Parent folder of the item.
Is File - Indicates whether the item is a file.
Modification Date - The date and time an item was last modified.
Size - File size in bytes.
Is Dirty Data - Indicates whether the data is dirty data.

Box Items Artifact

Creation Date - The date and time an item was created.
Item Type - Type of the item.
Parent Folder - Parent folder of the item.
Item Name - Item name.
Item Size - Item size in bytes.
Last Update Date - The date and time an item was last updated.

Box Local Events Artifact

Creation Date - The date and time an event was created.
Item Old Name - Item old name.
Sync Event Type - Item sync event type.
Base Name - Item base name.
Last Update Date - The date and time an item was last updated.
Item Native Type - Native type of the item.
Item Size - Item size in bytes.

Box Local Items Artifact

Creation Date - The date and time an item was created.
Item Type - Type of the item.
Parent Folder - Parent folder of the item.
Item Size - Item size in bytes.
Last Update Date - The date and time an item was last updated.
Item Name - Item name.

Box Logs Artifact

Logged Date - The date and time it was logged.
Log Level - Log level.
Component - Logged component.
Source File - Source file of the logged component.
Log Message - Logged message.
Process - Log process.
Offset - Log offset.

Box Preferences Artifact