OneDrive works slightly differently depending on whether a user has a Personal or Business account, and it is important to understand these differences as they may have a bearing on your forensic investigation.

When OneDrive syncs a file from your computer to the cloud, there is a small modification that takes place in OneDrive for Business. This version of OneDrive automatically adds a few lines of code to the beginning of documents when they are uploaded. This has strong forensic implications as it means that the original MD5 hashes don't match, and can also mean that the files themselves grow slightly larger in size. This appears to happen whenever such a file is opened, even if no modifications are made - it is part of the automated syncing process. So, if you are analyzing a OneDrive for Business file, make sure you account for this as part of your process, or you may end up with some sticky questions should the case go to court!