Blog >> pCloud

Investigating pCloud

14/04/2022 Friday

pCloud is a cloud storage service developed by a Swiss company founded in 2013. It is a standard cloud storage service for keeping files private, stable, and accessible across all platforms. pCloud also provides file management, sharing, versioning, security, backup, and digital assets management. The app is available on Windows, Mac, Linux, Android, and iOS devices.

Digital Forensics Value of pCloud Artifact

pCloud artifacts provide information about files and folders that the user created, modified, uploaded, and used in pCloud, as well as files and folders shared with other users. Tracking such information can be critical during a digital forensic analysis.

Location and Structure of pCloud Artifact

In Windows 10, pCloud artifacts are found in the following location:

%systempartititon%\Users\%username%\AppData\Local\pCloud

The artifacts are mainly extracted from the database and cache files seen below.

Analyzing pCloud Recent Files with ArtiFast Windows

This section will discuss how to use ArtiFast to extract pCloud artifacts from Windows and what kind of digital forensic insights we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select pCloud artifacts.

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Windows pCloud artifacts in ArtiFast.

pCloud Drive Files

• Creation Date - The date and time when the file was created.
• Modification Date - The date and time when the file was last modified.
• File Name - The date and time the MRU registry key was last modified
• Parent Folder Name - The parent folder name.
• Size - The size of the file in bytes.
• Media Artist - The media artist name.
• Media Album - The media album name.
• Media Title - The media title name
• Width - The width of the image/video in pixels.
• Height - The height of the image/video in pixels.
• Duration - The duration of the video in seconds.
• Frames per Second - Frames per second rate of the video.
• Video Codec - Codec used for encoding of the video.
• Audio Codec - Codec used for encoding of the audio.
• Video Bit Rate - Bitrate of the video in kilobits.
• Audio Bit Rate - Bitrate of the audio in kilobits.
• Audio Sample Rate - Sampling rate of the audio in Hz.

pCloud Folders

• Date - The date and time when the folder was last edited.
• Parent ID - The parent folder ID.
• Folder ID - The folder ID.
• Folder Name - The folder name.
• Creation Date\Time - The date and time when the folder was created.

pCloud Local Files

• Date - The date and time when the file was last modified.
• Hash - The file checksum.
• Size - The size of the file.
• Local Parent Folder ID - The parent folder ID.
• File ID - The file ID.
• Name - The file name.

pCloud Local Folders

• Local Parent Folder ID - The parent folder ID.
• Folder ID - The folder ID.
• Name - The folder name.
• Device ID - The device identifier.

pCloud Sync Folders

• Sync Folder ID - The folder ID.
• Sync Folder Path - The Local path of the folder.
• Device ID - The device identifier.

pCloud User Information

• Premium - Indicates whether the user is using a premium account or not.
• User Name - The username of the users which is usually their email.
• User Space - The amount of space consumed by the user.
• User ID - The user identifier.

For more information or suggestions please contact: [email protected]