Blog >> Dropbox

Investigating Dropbox

04/05/2021 Tuesday

Dropbox is a file hosting service founded in 2007 that offers cloud storage, file synchronization, personal cloud, and client software. Dropbox brings files together in one place by creating a special folder on the user's computer. The contents of these directories are synchronized to the servers of Dropbox and other computers and systems where Dropbox has been installed by the user, keeping the same files up to date on all devices. Dropbox is available for Microsoft Windows, Apple macOS, and Linux computers, and mobile apps for iOS, Android, and Windows Phone smartphones and tablets.

Digital Forensics Value of Dropbox Artifacts

Dropbox file contains information about files that users uploaded and synced to Dropbox, cloud data, and configuration. This information is critical during the forensic analysis process, as it helps us understand the types of artifacts that are likely to remain for digital forensics investigators.

Location of Dropbox Artifacts

Windows 7/10: C:\Users\hp\AppData\Roaming\Dropbox

Structure of Dropbox Artifacts

Dropbox artifacts are stored in SQLite Database files that contains multiple tables. These tables contain information regarding files that users uploaded and synced to Dropbox.

Analyzing Dropbox Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to analyze Dropbox artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select Dropbox artifacts:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Dropbox artifacts in ArtiFast software.

Dropbox (WindowsApp) Actions Artifact

• Action Name - File action name (edited/not edited).
• Action Date - Action date.
• Item Mime Type - File type.
• Username - The username.
• User Display Name - User display name.
• Item Path - Item file path.
• Item Size - Item size.
• In Dropbox - Indicates whether the file is located in Dropbox.
• Modified Time - File last modified time.
• Is local - Indicates whether the file is local.
• Bytes - File size in bytes.
• Item Name - Item name.
• User Email - User email.
• Is Deleted - Indicates whether the file is deleted.

Dropbox (Win Apps) Cached Items Artifact

• Folder - Cached item folder name.
• Local Cache Item Folder - Local cache item folder.
• Local Last Modified Time - Item local last modified time.
• Local File Size - Local file size in bytes.
• Path - File path of the item.
• Hash - Hash value of the item.
• File Name - File name.
• Last Access Time - File last access time.

Dropbox (Win Apps) Files Artifact

• Is Read Only - Indicates whether the file is Read Only.
• Client Modification Time - File modification time by client.
• Bytes - File size in bytes.
• File Path - File path.
• Is Locked - Indicates whether the file is locked.
• Is Sharable - Indicates whether the file is sharable.
• Can Stream - Indicates whether the file is streamable.
• Size - File size.
• Content Type - File content type.
• Last Modified - The date/time when the file was last modified.

Dropbox (Win Apps) Folders Artifact

• Is Read Only - Indicates whether the file is Read Only.
• Is Sharable - Indicates whether the file is sharable.
• Root Folder - Root folder.
• Folder Path - Folder path.
• Last Update - The date/time when the folder was last updated.
• Is Locked - Indicates whether the file is locked.
• Last Modified - The date/time when the folder was last modified.

Dropbox (Win Apps) Gallery Items Artifact

• Duration - Item duration.
• Size - File size.
• Path - Item path.
• Content Type - Item content type.
• Time Created - The time when item was taken or created.

Dropbox (Win Apps) Preview Items Artifact

• Local Preview Item Folder - Local preview item folder.
• Local Last Modified Time - Item local last modified time.
• File Name - File name.
• Path - Item path.
• Folder - Preview item folder.
• Last Access Time - The date/time when the file was last accessed.

Dropbox (Win Apps) Recent Actions Artifact

• Action Name - Action name.
• Action Date - Action date.
• Is Deleted - Indicates whether the file is deleted.
• Modified Time - File last modified time.
• Bytes - File size in bytes.
• Item Name - Item name.
• Item Path - Item file path.
• In Dropbox - Indicates whether the file is located in Dropbox.
• Is Folder - Indicates whether the file is a folder.
• Is Read Only - Indicates whether the file is Read Only.
• Action Display - Action display.
• Is Local - Indicates whether the file is local.
• Is Sharable - Indicates whether the file is sharable.

Dropbox (Win Apps) Starred Cached Items Artifact

• Title - Item title.
• Display Type - Item display type.
• Item Path - Item file path.

Dropbox Avatar Cache Artifact

• Fetch Time - Time avatar fetched.
• Account Avatar - Account avatar.
• Account ID - Account ID.
• Use Time - the date/time when the avatar was used.

Dropbox Items Artifact

• Item Name - Item name.
• Account ID - Item Account ID.
• Item Type - Item type.
• Is Calendar Item - Indicates whether the item is a calendar.
• Starred Time - Time the item was starred.
• Is Starred - Indicates whether the item is starred.
• Server Path - Item file path on the server.
• Server Fetch Time - Time item fetched from server.

Dropbox Non Local Items Artifact

• Is Share - Indicates whether the item is shared.
• Item Type - Item type.
• Is Directory - Indicates whether the item is a directory.
• Item Name - Item name.
• Account ID - Account ID.
• URL - Item URL.
• Server Fetch Time - The date/time when the item was fetched from server.

Dropbox Notifications Artifact

• Item Name - Item name.
• Item Type - Item type.
• Server Path - Item file path on the server.

Dropbox Recent Actions Artifact

• Account ID - Account ID.
• Is Local Action - Indicates whether the action occurred locally.
• Server Path - File path on the server.
• Server Fetch Time - The date and time when the item was fetched from server.
• Item Type - Item type.
• Action Type - Action type.
• Item Name - Item name.
• Action Time - The date and time when the action occurred.

Dropbox Suggested Items Artifact

• Thumbnail URL - Thumbnail URL.
• Account ID - Account ID.
• Item type - Item type.
• Item Name - Item name.
• Suggestion Time - The data/time when the item was suggested.