cybersocialhub.com
Open in
urlscan Pro
18.189.87.43
Public Scan
URL:
https://cybersocialhub.com/csh/google-drive-evidence-you-should-know-about-monolith/?utm_source=CSH_Nov_2021_Newsletter&utm...
Submission: On November 30 via api from US — Scanned from DE
Submission: On November 30 via api from US — Scanned from DE
Form analysis 5 forms found in the DOM
GET https://cybersocialhub.com/
<form role="search" method="get" class="search-form" action="https://cybersocialhub.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field-top ui-autocomplete-input" placeholder="Search" value="" name="s" autocomplete="off">
</label>
<input type="hidden" name="bp_search" value="1"><input type="hidden" name="view" value="content">
</form>GET https://cybersocialhub.com/
<form role="search" method="get" class="search-form" action="https://cybersocialhub.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field-top ui-autocomplete-input" placeholder="Start typing to search..." value="" name="s" autocomplete="off">
</label>
<input type="hidden" name="bp_search" value="1"><input type="hidden" name="view" value="content">
</form>GET https://cybersocialhub.com
<form class="elementor-search-form" role="search" action="https://cybersocialhub.com" method="get">
<div class="elementor-search-form__container">
<input placeholder="Search..." class="elementor-search-form__input" type="search" name="s" title="Search" value="">
<button class="elementor-search-form__submit" type="submit" title="Search" aria-label="Search">
<i aria-hidden="true" class="fas fa-search"></i> <span class="elementor-screen-only">Search</span>
</button>
</div>
</form>javascript:void(0);
<form id="bb-report-content" action="javascript:void(0);">
<div class="form-item">
<label for="report-category-112">
<input type="radio" id="report-category-112" name="report_category" value="112" checked="">
<span>Harassment</span>
</label>
<span>Harassment or bullying behavior</span>
</div>
<div class="form-item">
<label for="report-category-109">
<input type="radio" id="report-category-109" name="report_category" value="109">
<span>Inappropriate</span>
</label>
<span>Contains mature or sensitive content</span>
</div>
<div class="form-item">
<label for="report-category-110">
<input type="radio" id="report-category-110" name="report_category" value="110">
<span>Misinformation</span>
</label>
<span>Contains misleading or false information</span>
</div>
<div class="form-item">
<label for="report-category-108">
<input type="radio" id="report-category-108" name="report_category" value="108">
<span>Offensive</span>
</label>
<span>Contains abusive or derogatory content</span>
</div>
<div class="form-item">
<label for="report-category-111">
<input type="radio" id="report-category-111" name="report_category" value="111">
<span>Suspicious</span>
</label>
<span>Contains spam, fake content or potential malware</span>
</div>
<div class="form-item">
<label for="report-category-other">
<input type="radio" id="report-category-other" name="report_category" value="other">
<span>Other</span>
</label>
</div>
<div class="form-item bp-hide">
<label for="report-note">
<textarea id="report-note" type="text" name="note" class="bp-other-report-cat"></textarea> </label>
</div>
<footer class="bb-model-footer">
<input type="button" class="bb-cancel-report-content button" value="Cancel">
<button type="submit" class="report-submit button">Report</button>
<input type="hidden" name="content_id" class="bp-content-id">
<input type="hidden" name="content_type" class="bp-content-type">
<input type="hidden" name="_wpnonce" class="bp-nonce">
</footer>
</form>javascript:void(0);
<form id="bb-block-member" action="javascript:void(0);">
<footer class="bb-model-footer">
<input type="button" class="bb-cancel-report-content button" value="Cancel">
<button type="submit" class="report-submit button">Confirm</button>
<input type="hidden" name="content_id" class="bp-content-id">
<input type="hidden" name="content_type" class="bp-content-type">
<input type="hidden" name="_wpnonce" class="bp-nonce">
</footer>
</form>Text Content
* DFIR Hacks
* Articles
* Webinars
* Podcasts
* News
* Events
Sign in Sign up
Search for:
--------------------------------------------------------------------------------
* DFIR Hacks
* Articles
* Webinars
* Podcasts
* News
* Events
Sign in Sign up
Search for:
* Article
GOOGLE DRIVE EVIDENCE YOU SHOULD KNOW ABOUT
* November 9, 2021
* 2:57 pm
* One Comment
Share on facebook
Share on twitter
Share on linkedin
Share on reddit
By Matt Danner of Monolith Forensics
As the world continues to adopt the use of cloud storage and make it a part of
everyday use in personal and professional settings, you should be aware of the
forensic artifacts and logs available for review. In this article I’ll cover
the forensic data you can review for Google Drive.
Google Drive Application
In mid 2021, Google started to roll out “Google Drive for Desktop” which merged
the “Backup and Sync” and “File Stream” versions of Google Drive. This has
significantly changed the artifacts available for the Google Drive application
and I may cover those artifacts in another article.
The artifacts referenced below are related to the “Backup and Sync” Google Drive
application, which is still alive and in use. You will likely still run into
systems with this version of Google Drive.
Here are the primary artifacts you should look for:
* Sync_config.db
* MacOS Location: \Users\{USERNAME}\Library\Application
Support\Google\Drive\user_default\sync_config.db
* Windows:
\Users\{USERNAME}\appData\Local\Google\Drive\user_default\sync_config.db
* Snapshot.db
* MacOS Location: \Users\{USERNAME}\Library\Application
Support\Google\Drive\user_default\snapshot.db
* Windows:
\Users\{USERNAME}\appData\Local\Google\Drive\user_default\snapshot.db
* Sync_log.log
* MacOS Location: \Users\{USERNAME}\Library\Application
Support\Google\Drive\user_default\sync_log.log
* Windows:
\Users\{USERNAME}\appData\Local\Google\Drive\user_default\sync_log.log
The “sync_config.db” is a SQLite file that gives you information about the
connected Google Drive account and the location of the synchronization folder:
Sync_config.db example
The “snapshot.db”is a SQLite file that contains a list of files that Google
Drive is aware of and is watching actions for in the synchronization folder.
This log includes interesting bits of info like file hashes, names, Google IDs,
and timestamps:
Snapshot.db example
The “sync_log.log” is a plain text file that contains loads of information about
events that have occurred within Google Drive – including creation, deletion, &
modification events. These logs can even tell you if the event occurred on the
local machine or if the event happened elsewhere.
Here is an example of one of the logs from the sync_log.log file. You can tell
from this example that there is a ton of information about the event and the
related file or folder.
Sync_log.log example log entry
These three files can be an incredibly important source of information when
conducting Google Drive investigations.
Web Browser History
The next source of information for Google Drive activity on a computer will come
from the user’s web history. Google Drive info should be found in the history
of any browser that stores history records like Chrome, Safari, or Firefox.
When you access an item or location in Google Drive within a web browser, two
key pieces of info are recorded in the web history: the Google Drive URL and the
page title.
For example, I am currently drafting this article in Google Docs. The web
history of my Chrome browser is going to record the title of this document in
the page title, and the unique Google ID for the document in the address bar:
In another example, you can see the folder in Google Drive that I have open via
the page title and URL.
The title and Google ID present in the address bar can be used to help identify
access to items in Google Drive.
The download history from the browser can also reveal this information. The
name of the item will be listed as the downloaded file and the download URL will
contain the unique Google ID for that item.
Google Drive Account
In certain cases, you may have access to the Google Drive account in question.
In these cases it is appropriate to collect the contents of Google Drive via the
Google Takeout service provided by Google.
When collecting data via the Google Takeout process, be sure to enable the
additional options in the “advanced settings” menu when selecting Google Drive:
This will give you all document versions and will include a metadata JSON file
for each file and folder. The metadata JSON file will include additional
characteristics of the item you may find useful.
Google Workspace
If the target Google Drive account exists within a Google Workspace domain, you
have access to convenient and robust Google Drive admin logs. These logs show a
lengthy history of activity by users with respect to Google Drive files. This
requires admin access to the Google Workspace Admin Console, but it is essential
to collect these logs for review in a Google Drive investigation.
These logs can contain edit, create, download, & view events that are tied to
specific Google Workspace users with timestamps and IP addresses. The activity
is related to specific files and folders within Google Drive.
During the investigation, you should access and export these logs as soon as
possible as they have retention of 6 months.
Google Drive APIs
The final dataset that you can access takes a bit more skill and effort. This
method also requires full access and authentication to the target Google Drive
account. Google provides access to data contained within Google Drive via
publicly available Application Programming Interfaces (APIs) that anyone can
use.
To use these APIs, you need to have some skill in programming with any typical
languages such as Python or Javascript. To use these APIs, you basically write
code to make HTTP requests to API endpoints defined by Google to retrieve
specific kinds of data.
For example, you can collect file and folder metadata and activity data from
Google Drive via the Google Drive API and Google Drive Activity API. Using
these Google APIs, you can pull metadata that includes timestamps called
“viewedByMeTime” and “modifiedByMeTime”. These timestamps provide information
about last access history for the authenticated user.
The Activity API will provide logs that illustrate events such as file edits,
sharing, and deletion to the trash folder.
You can review Google’s API documentation for these APIs and play around with
writing scripts to interact with them. Here are links to the API documentation:
Google Drive API
Google Drive Activity API
If you’re looking for something to help manage your digital evidence and
forensics casework, check out Monolith Forensics at www.monolithforensics.com.
RESPONSES
Cancel reply
You must be logged in to post a comment.
1. KevinDeLong November 10, 2021
Great Article Matt!
Log in to Reply
Search
Facebook-f Twitter Youtube Linkedin
RECENT POSTS
ANDROID VIBER FORENSICS
Read More »
JAILBREAKING IOS DEVICES FOR TESTING
Read More »
MEDIA FILES FORENSICS
Read More »
© 2021 - Cyber Social Hub - Maintained and Hosted by AVAIRY Solutions - -
* Privacy Policy
* Terms of Service
* Sponsor
*
*
*
*
*
REPORT
Harassment Harassment or bullying behavior
Inappropriate Contains mature or sensitive content
Misinformation Contains misleading or false information
Offensive Contains abusive or derogatory content
Suspicious Contains spam, fake content or potential malware
Other
Report
BLOCK MEMBER?
Please confirm you want to block this member.
You will no longer be able to:
* See blocked member's posts
* Mention this member in posts
* Invite this member to groups
* Message this member
* Add this member as a connection
Please note: This action will also remove this member from your connections and
send a report to the site admin. Please allow a few minutes for this process to
complete.
Confirm
REPORT
You have already reported this
Clear Clear All
Notifications