OneDrive Blog

Investigating OneDrive

02/07/2021 Friday

OneDrive is a file hosting service that offers cloud storage, file synchronization, personal cloud, and client software. OneDrive brings files together in one place by creating a special folder on the user's computer. The contents of these directories are synchronized to the servers of OneDrive and other computers and systems where OneDrive has been installed by the user, keeping the same files up to date on all devices. OneDrive is available for Microsoft Windows, Apple macOS, and Linux computers, and mobile apps for iOS, Android, and Windows Phone smartphones and tablets.

Digital Forensics Value of OneDrive Artifacts

OneDrive file contains information about files that users uploaded and synced to OneDrive, cloud data, and configuration. This information is critical during the forensic analysis process as it helps us understand the types of artifacts that are likely to remain for digital forensics investigators.

Location of OneDrive Artifacts

Windows 8: C:\Users\username\Appdata\Local\Microsoft\OneDrive\logs
Windows 10: C:\Users\username\Appdata\Local\Microsoft\Windows\OneDrive\logs

Structure of OneDrive Artifacts

OneDrive contains information about files that users uploaded and synced to OneDrive. It contains several sub artifacts such as: items, deleted items, recycle bin items, accounts, and downloads.

Within the OneDrive evidence there are four types of files: SyncEngine.odl, TraceCurrent.ETL, TraceArchive.ETL, and SyncDiagnostics.txt.

SyncEngine.odl: includes logs of operations that have been performed and syncing functions such as synced file names and file hashes.
Trace.ETL: TraceCurrent.ETL and TraceArchive.ETL are logging files that contain the trace messages generated during one or more trace sessions.
SyncDiagnostics.txt: a logging file which displays the operations currently being run on the computer.

Analyzing OneDrive Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to analyze One Drive artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select OneDrive Artifact:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of OneDrive artifact in ArtiFast software.

OneDrive (Win Apps) Accounts Artifact

Last Name - The user's last name.
Service Display Name - The user's display name.
Domain - The user's account domain name.
First Name - The user's first name.
Email - The user's email.
Account ID - The account ID.
Last Modification Date - The file last modified date and time.

OneDrive (Win Apps) Downloads Artifact

File Name - File name.
Name On Disk - File name on disk.
Account Type - Account type.
Downloaded Size - Downloaded size.
Retry Enabled - Retry enabled.
Retry Times - Retry times.

OneDrive (Win Apps) Deleted Items Artifact

Latitude - The item latitude.
Item Icon Type - The item icon type.
Camera Model - The camera model name.
Drive ID - The drive account ID.
Extension - The item extension type.
Taken Date - The item taken date by camera.
Resource ID Alias - The resource ID Alias.
Width - The item width.
Location - The item location.
Altitude - The item altitude.
Sharing Level - The item sharing level.
Folder Canonical Name - The folder canonical name.
File Hash - The hash value of the file.
Owner Account ID - The user account ID.
Name - The item name.
Longitude - The item longitude.
Height - The item height.
Media Duration - The media duration.
Shared Date - The item shared date.

OneDrive (Win Apps) Items Artifact

Name - The name of the file.
File Hash - The hash value of the file.
File Size - The file size in bytes.
Drive ID - The drive ID.
Camera Model - The camera model.
User Role - The role of the current user.
Owner Name - The name of the owner of the file.
Media Duration - The media duration.
If Offline - Indicates whether the file is available offline.
Sharing Level - The sharing level of the file (shared/not shared).
Resource ID Alias - The resource ID Alias.
Owner Account - The owner account ID of the item.
Width - The item width.
Item Icon Type - The item icon type.
Folder Canonical - The folder canonical name.
Creation Date - The item creation date on drive account.
Last Modified Date - The last modified date on drive account.
Latitude - The item latitude.
Altitude - The item altitude.
Location - The item file location.
Extension - The item extension type.
Shared Date - The item shared date.
Height - The item height.
Is Folder - Indicates whether the item is a folder.
Longitude - The item longitude.
Taken Date - The item taken date by camera.
Total count - The total count under items.
Revision Date - Date and time of revision.

OneDrive RecycleBin Items Artifact

Revision Date - Date and time of revision.
Latitude - The item latitude.
Taken Date - The item taken date by camera.
Name - The item name.
Item Icon Type - The item icon type.
Sharing Level - The item sharing level (shared/not shared/shared by).
Folder Canonical - The folder canonical name.
Longitude - The item longitude.
Owner Account - The owner account ID.
Resource ID Alias - The resource ID Alias.
Width - The item width.
Height - The item height.
Altitude - The item altitude.
Shared Date - The item shared date.
Media Duration - The media duration.
Location - The item file location.
Drive ID - The drive ID.
File Hash - The hash value of the file.
Camera Model - The camera model.
Extension - The item extension type.

OneDrive Cloud Metadata Artifact

Modification Date - Modification date and time.
File Path - File path.
Creation Date - Creation date and time.
File Type - File type.
Is Diagnostic - Indicates whether it is diagnostic.
Size - Size.

OneDrive Sync Diagnostics Artifact

Modified Time - Modified date and time.
CID - Client Id.
Client Type - Client type.
Client Version - Client version.
Cloud Folders Count - Cloud folders count.
Cloud Files Count - Cloud files count.
Disk Files Count - Disk files count.
Disk Folders Count - Disk folders count.
Dat Files Count - Dat files count.
Dat Folders Count - Dat folders count.
Device ID - Device ID.
PID - Process Id.
Bytes To Upload - Bytes to upload.
Bytes To Download - Bytes to download.
Files To Download - Files to download.
Files To Upload - Files to upload.
Number Of File Downloads - Number of file downloads.
Number Of File Uploads - Number of file uploads.
Successful Bytes Downloaded - Successful bytes downloaded total.
Failed Bytes Downloaded - Failed bytes downloaded total.
Successful Bytes Uploaded - Successful bytes uploaded total.
Failed Bytes Uploaded - Failed bytes uploaded total.

OneDrive User Configurations Artifact

Last Refresh Date - Last online refresh date and time.
User Library - User library.
Bytes Transferred - Bytes transferred.
Install Name - Personnel computer name.
Nick Name - Nick name.

OneDrive MountPoint Files Artifact

Modification Date - Modification date and time.
File Path - File path.
Creation Date - File creation date.
Size - File size.
Is Diagnostic - Indicates whether it is a diagnostic file.

OneDrive MountPoint Folder Artifact

Last Modified Date - Last modified date and time.
Folder Path - Folder path.
Is Diagnostic - Indicates whether it is a diagnostic file.

OneDrive Profile Service Artifact

Last Modified Date - Last modified date and time.
Profile Display Name - Profile display name.
Profile Display Last Name - Profile display last name.
Passport Member Name - Passport member name.
User Tile Url - User tile url.

OneDrive State Artifact