Blog >> Google Drive

Investigating Google Drive

06/08/2021 Friday

Google Drive is a service developed by Google for file storage and synchronization. Launched in April 2012, Google Drive helps users to store files, synchronize files between computers, and exchange files on their servers. Moreover, Google Drive offers offline capabilities a part of the Google Docs Editors office suite that permits collaborative editing of documents, spreadsheets, presentations, drawings, forms, and more. For instance, Google Docs, Google Sheets, and Google Slides. Google Drive is available for Microsoft Windows, Apple macOS, and mobile apps for iOS, and Android smartphones and tablets.

Digital Forensics Value of Google Drive Artifacts

Google Drive file contains information about files that users uploaded and synced to Google Drive, cloud data, and configuration. This information is critical during the forensic analysis process as it helps us understand the types of artifacts that are likely to remain for digital forensics investigators.

Location of Google Drive Artifacts

In Windows 10 systems the artifacts are located at: C:\Users\username\AppData\Local\Google\Drive

Structure of Google Drive Artifacts

Google Drive contains information about files that users uploaded and synced to Google Drive. It contains several sub artifacts such as: actions, cached items, files, folders, starred cached items, previewed items, gallery items, and recent actions.

• Google drive sync - sync_config.db and global.db databases contain information about Google account name and location of Google Drive folder.
• Google drive items & preferences - snapshot.db and cloud_graph.db databases contain information about the files that have been synced with the user's Google Drive account, their sizes, modified timestamps and MD5 hashes.
• Google drive preferences - Global_preferences.db contains information about the user account who logged in Google Drive.
• Google drive logs - sync_log.log is a logfile that logs every detail that a user does with the application such as deleted synced files.

Analyzing Google Drive Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to analyze Google Drive artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select Google Drive Artifact:

Once Artifast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of Google Drive artifact in Artifast software.

Google Drive Preferences Artifact

• File Last Modified Date - The file last modified date.
• App Version - The application version.
• Machine Folder Name - The folder name on the local machine.
• Local Sync Path - The file local sync path.
• User Email - The user email.
• User Paused - If user paused, value equal 'yes' if not 'no'.
• USB Sync Enabled - If USB Sync is Enabled, value equal 'yes' if not 'no'.
• External Media Folder Name - The external media folder name.
• Delete Mode - Display delete mode (Remove Items Everywhere, Ask Me Before Removing Items Everywhere, Don't Remove Items Anywhere).
• Selective Sync - If Selective Sync is Enabled, value equal 'yes' if not 'no'.
• Always Show in Photos - If Always Show in Photos is Enabled, value equal 'yes' if not 'no'.
• Feed Mode - The feed mode status.
• Warning on Delete - If Warning on Delete is Enabled, value equal 'yes' if not 'no'.
• Synced Directories - Displays the synced folders.

Google Drive Items Artifact

• Last Modified Date - The item last modified date.
• Created Date - The item creation date.
• Document Id - The document ID.
• File Name - The item file name.
• Document Origin - The Document Origin (Shared by User or Account Owner).
• Document Type - The document type.
• Document Size - The document size in bytes.
• Is Shared - If the item is shared, value equal 'yes' if not 'no'.
• Parent Folder - The item parent folder.
• Volume Path - The item volume path.
• Volume Size - The item volume size.
• FileSystem - If the item is a file system, value equal 'yes' if not 'no'.

Google Drive Device Artifact

• Device ID - The device ID.
• Device Label - The device label.
• Device Discovery Action - The device discovery action.
• USB Type - The usb type.
• Upload Time - The device upload time.
• Last Modified Date - The item last modified date.

Google Drive Pending Files Artifact

• Full Path - The file path.
• Device Discovery Action - The device discovery action.
• File Name - The file name.
• Device Label - The device label.
• Base Path - The file base path.
• Last Modified Date - The item last modified date.

Google Drive Last Execution Date Artifact

• Last Execution Date - The item last execution date.
• PID - The item ID.

Google Drive Sync Artifact

• PID - The item ID.
• Severity - The item severity.
• Thread - The item thread.
• Code Location - The item code location.
• Action Summary - The item action summary.
• Date-Time - The item synced date and time.
• Modification Date - Item modification date.

Google Drive Cloud Items Artifact

• Last Modified Date - The item last modified date.
• Created Date - The item creation date.
• Document Id - The document ID.
• File Name - The item file name.
• Document Origin - The Document Origin (Shared by User or Account Owner).
• Document Type - The document type.
• Document Size - The document size in bytes.
• Is Shared - If the item is shared, value equal 'yes' if not 'no'.
• Parent Folder - The item parent folder.
• Is Zombie - If the item is zombie, value equal 'yes' if not 'no'.
• Download Restricted - If the item download is restricted, value equal 'yes' if not 'no'.