A computer with these files is likely to have had Dropbox installed at one point. To capture this information I ran Process Monitor, a tool from Sysinternals that records all activity on a computer’s hard drive. These are the files created during the installation of Dropbox.
used to create test files to be uploaded and downloadedįiles and Folders Created During Installation.
Used to look at changes to the registry.
None of his findings are in my paper without being explicitly labeled as such. This article went over some of the basics of Dropbox and what places an investigator could look for information.
Are there any other sources of information relating to Dropbox?īefore I began working on Dropbox, I read the Dropbox Forensics article in Forensic Focus written by Frank McClain.
What logs does Dropbox create and how accurate are they?.
What evidence is there when a file is shared?.
What artifacts are created when a file is uploaded or downloaded?.
What information can be gathered from the Dropbox database files?.
What artifacts are left behind after Dropbox is uninstalled?.
What artifacts are created during the installation process?.
This research project will attempt to discover what evidence can be gathered from Dropbox, including evidence that is located on the computer(s) with Dropbox installed on them as well as evidence that can be gathered from the web portal. Obtaining these artifacts and log files could provide an investigator with valuable evidence. The Dropbox servers store many useful logs in regards to account history and a user’s file history. The Dropbox application creates artifacts on a system that may provide pertinent information. This service’s popularity and function means that it could be used to backup or transfer files that are relevant to an investigation. This service allows for users to backup files to the internet and to share them with other people. Dropbox is a service that is used by over 50 million people.