Investigating Windows Google Drive
16/12/2022 Friday
Google Drive is a cloud- based file storage service similar to Microsoft OneDrive and Apple iCloud. It enables users to store, access and share files online. The service also enables users to synchronize files across their devices including PCs, smartphones and tablets. Google Drive encompasses other Google apps such as Google Docs, Forms, Sheets and Slides; allowing users to work collectively on the same file from anywhere using the cloud.
Digital Forensics Value of Google Drive
Due to their various advantages, cloud-based storage services such as Google Drive have become one of the most popular mediums for storing, managing and sharing files. That is why it is important to be able to analyze and view critical artifacts left behind by Google Drive.
Location and Structure of Google Drive Artifacts
By default, artifacts left behind by Google Drive are stored in the following location:
C:\Users\%user%\AppData\Local\Google\DriveFS
This folder contains many other folders and databases which store important information about user’s activities on the app. The most important sub- folders/files are listed below:
• root_preference_sqlite.db
This database contains information about all of the devices that have been partially or completely backed to Google Drive or any device that has been connected to the computer while Google Drive App was running. The database also stores information about the root (folders) synced to the cloud using Google Drive desktop app.
• mirror_sqlite.db
This database on the other hand, contains information about all of the items (root folders, sub-folders, or files) synced to the cloud using Google Drive desktop app.
• %user_acount_id%\metadata_sqlite_db
• %user_acount_id%\ mirror_metadata_sqlite.db
Google Drive creates a folder for each account with a unique 21 digits ID. Under this folder you can find the above-mentioned databases. These databases contain information about the items stored in the cloud using Google Drive, deleted items, as well as information related to the user’s account.
•cef_cache\Cache
This folder contains cache details collected by Google Drive desktop app in Chromium cache structure.
Analyzing Google Drive Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract Google Drive artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Google Drive artifacts:
×
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Windows Google Drive artifacts in ArtiFast.
Google Drive Cache Artifact
- HTTP Content - HTTP content of the cache.
- Content Type - The type of the cache content.
- Key - The Key or URL of the cached file.
- File Name - The title of the website.
- Content Size - The size of the cache in bytes.
- Is Dirty - Indicates whether this cache is dirty or not.
- Long Key Data - The long key data of the cache.
- Payload - The path of the cache file.
- Refetch Count - Indicates the number of times the cached entry was refetched.
- Reuse Count - Indicates the number of times the cache has been used.
- State - The state of this cache.
- Creation Time - The date and time when the cached entry was created.
- Cache Entry Last Modified Time - The date and time when the cached entry was last modified. Cache Entry Last Used Time - The date and time when the cached entry was last fetched.
Google Drive Cloud Items Artifact
- Document ID - Document ID.
- Document Origin - Document origin.
- Document Type - Document type.
- Is Folder - Indicates whether the item is a folder or a file.
- Last Modified Date - The date and time when the item was last modified.
- Viewed Date - The date and time when the item was last viewed by the user.
- Document Size - Document size.
- File Name - File name.
- Is Trashed - Indicates whether the file is in the drive bin or not.
- Parent Folder - Parent folder.
Google Drive Deleted Files Artifact
- Deleted File Name - The name of the deleted file.
Google Drive Last Execution Date Artifact
- Last Execution Date - The last execution date.
- PID - The process ID.
Google Drive Account Information Artifact
- User Local Folder ID - The ID used by the SW to name the user folder.
- User Name - The user’s name.
- Email Address - The user email address.
Google Drive Sync Roots Artifact
- Storage Device ID - The ID of the storage device where the item was saved on the local device.
- Root Title - The name of the folder.
- Root Path - The folder full path on the local device.
- Account ID - The account ID where this item is synced to.
- Is Default Sync Directory - Indicates whether this folder is the default sync directory or not.
- Sync Type - Indicates the type of the sync.
Google Drive Sync Items
- Item Device Creation Date - The date and time when the item was created on the local device.
- Item Could Creation Date - The date and time when the item was created in the cloud.
- Item ID - Item stable ID.
- Storage Device ID - The ID of the storage device where the item was saved on the local device.
- Local Item Name - Item name on the local device.
- Cloud Item Name - Item name in the cloud.
- Local Item Size - Item size in Bytes as stored on the local device.
- Cloud Item Size - Item size in Bytes as stored in the Cloud.
- Item Type - indicates whether the item is a file or folder.
- Local Item Version - Item version on the local device.
- Cloud Item Version - Item version in the cloud.
- Is Shared - Indicates whether the item is shared or not.
- Is Root - Indicates whether the item Is a root folder or not.
- Parent Folder Local Name - The parent folder name on the local device.
- Account ID - The account id where this item is synced to.
Google Drive Device
- Device ID - The ID of the device.
- Device Name - The device name.
- Media System Name - The last drive letter that was assigned to the device by Windows.
- File System Type - The type of the device in the file system.
- Device Type - Indicates the type of the device.
- Device Capacity - Indicates device storage capacity in bytes.
For more information or suggestions please contact: [email protected]
