Blog >> Window BoxDrive

Investigating Window BoxDrive

10/02/2023 Friday

Box Drive is a cloud-based file management app that provides users with direct access to their Box account files from their desktop computers. With Box Drive, users can preview, edit, and collaborate on their cloud-based files in real-time, as if they were stored on their local computers. This tool is equipped with features such as version history and commenting, making it an effective tool for teams collaboration.

Digital Forensics Value of BoxDrive

The forensic value of Box Drive lies in its centralized storage of documents and electronic communications that can serve as critical evidence. Having the ability to access these files gives investigators a huge advantage in a forensic investigation. In addition, with the help of Box Drive's version history feature, investigators can track changes to files over time, ensuring the accuracy of data.

Location of BoxDrive Artifacts

BoxDrive artifacts are found in the following location:
%systempartititon%\Users\%username%\AppData\Local\Box\Box\logs
%systempartititon%\ Users\%username%\ AppData\Local\Box\Box\data

Analyzing BoxDrive with ArtiFast

This section will discuss how to use ArtiFast to extract BoxDrive from Windows and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select BoxDrive artifacts.

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Window BoxDrive artifacts in ArtiFast.

Box Items Artifact

• Date - Creation date of the item.
• Item Name - The name of the item.
• Parent Folder - The parent folder name.
• Last Updated Date - The date that the item was last modified.
• Item Size - The size of the item.
• Item Type - The type of the item.

Box Local Events Artifact

• Date - Creation date of the event.
• Item Name - The name of the item.
• Item Old Name - The previous name of the item.
• Last Updated Date - The date that the item was last modified.
• Item Size - The size of the item.
• Sync Event type - The type of the event.
• Item Native Type - The type of the item.
• Base name - item name.

Box Local Items Artifact

• Date - Creation date of the item.
• Item Name - The name of the item.
• Parent Folder - The parent folder name.
• Last Updated Date - The date that the item was last modified.
• Item Size - The size of the item.
• Item Type - The type of the item.

Box FS Nodes Artifact

• Date - Creation date of the node.
• Last consistent size - The previous size of the item.
• Parent Folder - The parent folder name.
• Modification Date - The date that the item was last modified.
• Size - The size of the item.
• Is Dirty Data - A flag showing if the file is (corrupted/ infected) or not.
• Is file - A flag that indicates if the item is a file.

Box Preferences Artifact

• Date - The time preferences was last modified.
• Display Username - The name of the user logged in.
• Last Sync Time - last time the drive was synced.
• Sync Directory - The directory that is getting synced.

Box Logs Artifact

• Date - Log record creation Date.
• Log Level - The level of the log record.
• Offset - The Offset of the record.
• Log message - the contents of the log record.
• Source File - The source file of the log record.

For more information or suggestions please contact: amro.alshadfan@forensafe.com