Investigating Box Sync
28/05/2021 Friday
Box Sync is a productivity platform that helps mirror Box-saved data to the user’s desktop. Without using a web browser, the user can access and change the content stored on the Box website via the native file browsing interface. Offline connectivity is required for content that synchronizes with the user’s computer.
Digital Forensics Value of Box Sync Artifacts
Box Sync contains information about offline folders and offline accessed folders. This information is critical during forensic analysis, as it helps us understand the types of artifacts that are likely to remain for digital forensics investigators.
Location of Box Sync Artifacts
In Windows 10 Box Sync artifacts are located at C:\Users\%username%\Box Sync
Structure of Box Sync Artifacts
Box Sync contains two main file types, databases and log files. First, the databases contain information about files and folder in the Box Sync application. The Sync.db database stores information about files that have been synced with Box. Second, log files contain logs about all users’ actions and authentications entries.
Analyzing Box Sync Artifacts with ArtiFast Windows
This section will discuss how to use ArtiFast Windows to analyze Box Sync artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.
After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select Box Sync artifacts:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Box Sync artifacts in ArtiFast software.
Box Sync Preferences Artifact
- Last Modified Time - The date and time an item was last modified.
- Currently Logged In - Indicates whether the user is currently logged in.
- Display Username - User display name.
- Box Homepage - Box homepage website link.
- Login Name - User logging name.
- Last Sync Time - The date and time an item was last synced.
- Enterprise Name - Enterprise name.
- Is First Run - Indicates whether the Box opens at first run.
- Sync Directory - Box sync directory.
Box Sync Local Items Artifact
- Creation Date - The date and time an item was created.
- Item Type - Type of the item.
- Parent Folder - Parent folder of the item.
- Item Size - Item size in bytes.
- Item Name - Item name.
- Is Deleted - Indicates whether the item is deleted.
- Last Update Date - The date and time an item was last updated.
Box Sync items Artifact
- Last Modified Date - The date and time the database was last modified.
- Item Type - Type of the item.
- Parent Folder - Parent folder of the item.
- Item Name - Item name.
- Item Size - Item size in bytes.
- Is Deleted - Indicates whether the item is deleted.
Box Sync Logs Artifact
- Logged Date - The date and time it was logged.
- Process ID - Logged process ID.
- Log Message - Logged message.
- Process - Log process.
- Thread - Log thread.
- Log Level - Log level.
