Blog >> Windows Google Drive

Investigating Windows Google Drive

16/12/2022 Friday

Google Drive is a cloud- based file storage service similar to Microsoft OneDrive and Apple iCloud. It enables users to store, access and share files online. The service also enables users to synchronize files across their devices including PCs, smartphones and tablets. Google Drive encompasses other Google apps such as Google Docs, Forms, Sheets and Slides; allowing users to work collectively on the same file from anywhere using the cloud.

Digital Forensics Value of Google Drive

Due to their various advantages, cloud-based storage services such as Google Drive have become one of the most popular mediums for storing, managing and sharing files. That is why it is important to be able to analyze and view critical artifacts left behind by Google Drive.

Location and Structure of Google Drive Artifacts

By default, artifacts left behind by Google Drive are stored in the following location:

This folder contains many other folders and databases which store important information about user’s activities on the app. The most important sub- folders/files are listed below:
• root_preference_sqlite.db

This database contains information about all of the devices that have been partially or completely backed to Google Drive or any device that has been connected to the computer while Google Drive App was running. The database also stores information about the root (folders) synced to the cloud using Google Drive desktop app.
• mirror_sqlite.db

This database on the other hand, contains information about all of the items (root folders, sub-folders, or files) synced to the cloud using Google Drive desktop app.
• %user_acount_id%\metadata_sqlite_db
• %user_acount_id%\ mirror_metadata_sqlite.db

Google Drive creates a folder for each account with a unique 21 digits ID. Under this folder you can find the above-mentioned databases. These databases contain information about the items stored in the cloud using Google Drive, deleted items, as well as information related to the user’s account.

This folder contains cache details collected by Google Drive desktop app in Chromium cache structure.

Analyzing Google Drive Artifacts with ArtiFast

This section will discuss how to use ArtiFast to extract Google Drive artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Google Drive artifacts:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Windows Google Drive artifacts in ArtiFast.

Google Drive Cache Artifact

Google Drive Cloud Items Artifact

Google Drive Deleted Files Artifact

Google Drive Last Execution Date Artifact

Google Drive Account Information Artifact

Google Drive Sync Roots Artifact

Google Drive Sync Items

Google Drive Device

For more information or suggestions please contact: [email protected]