The steps to be followed for dropbox forensics are as follows:
- Open your SQLite browser and navigate to: C:Users<USERNAME>AppDataLocalMicrosoftDropbox. You will find several .db files contained within this folder.
- The most interesting file in the folder is filecache.db. This lists all files and folders within the Dropbox account, as long as they have not been deleted. You can find details of how large each file is in sigstore.db in the same folder. The filecache database is encrypted by default, but this is one of those that can be decrypted by Magnet's Dropbox Decryptor, which will allow you to see not only the file names but also any associated metadata.
- The Dropbox Decryptor will also uncover information from the config.db file, including the email address the account owner used to register, and a list of files that have recently been changed. This is particularly of interest in investigations where a person may be trying to cover their tracks. In some cases, Dropbox files will have been deleted. Deleted files are not kept on the local machine and so cannot be accessed strictly through Windows 10 forensic methods. However, if you know the username and password for the account, the web-based version of Dropbox does keep these files in the cloud. The amount of time for which they are kept depends on the type of account: for free accounts, deleted files are kept for 30 days; for premium (paid) accounts, they are kept forever.
- Finding deleted files is easy on Dropbox. All you need to do is hover over the Show deleted files option on the right-hand side of the page.
Fig 10.8. An option allows users to see deleted files
Once you can see the file that has been deleted, you can then click on Restore to view it. This will bring up a little box where it is worth clicking on the View other versions link under the main text as shown in the following screenshot:
Fig 10.9. The 'View other versions' option can be forensically helpful
The following screenshot shows you how many versions of a file there have been, when they were edited, and when the file was deleted:
Fig:10.10 . You will be able to see names and modification dates of file versions
Clicking on each of these in turn will show you a preview version of the file itself, which can then be compared against other versions:
The two versions may be quite different even if they have the same file names, as you can see by comparing the figures:
It is then possible to see the contents of each file version