top of page

OneDrive Forensics : Investigating Cloud Storage on Windows Systems

2 days ago4 min read

Microsoft OneDrive is the most widely used cloud storage service, thanks to its default integration in Windows and its enterprise adoption via Microsoft 365. Understanding OneDrive forensic artifacts is crucial for investigations involving data exfiltration, insider threats, or deleted cloud files.


We will cover:

How to locate and analyze OneDrive data on a Windows system

Key forensic artifacts, including logs, databases, and registry entries

How to determine OneDrive activity, authentication, and file synchronization history

How OneDrive’s new sync model affects forensic investigations

Tracking cloud-only files & deleted data

Using OneDrive’s forensic artifacts to recover missing evidence


----------------------------------------------------------------------------------------------------------

1️⃣ Locating OneDrive Files on a Windows System

By default, synced OneDrive files are stored in:

%UserProfile%\OneDrive
💡 Important:

  • If a user changes the default storage location, the original OneDrive folder remains empty.

  • The true OneDrive folder location can be found in the Windows registry.


Registry Key to Identify OneDrive Folder Location

NTUSER\Software\Microsoft\OneDrive\Accounts\Personal

This key contains:

  • UserFolder → The actual OneDrive sync folder location

  • cid/UserCid → A unique Microsoft Cloud ID

  • UserEmail → The email used for the Microsoft account

  • LastSignInTime → Last authentication timestamp (Unix epoch format)

💡 Why This Matters:

  • If OneDrive is enabled, this registry key must exist.

  • Investigators can track user activity even if OneDrive files have been moved or deleted.


----------------------------------------------------------------------------------------------------------


2️⃣ Analyzing OneDrive File Metadata & Sync Database

OneDrive stores metadata and sync information in:

%UserProfile%\AppData\Local\Microsoft\OneDrive\settings

This folder contains key artifacts, including:


📌 SyncEngineDatabase.db (Main OneDrive Database)

  • Tracks both local and cloud-only files

  • Lists file names, folder structure, and metadata

  • Provides timestamps for file sync operations

💡 Why This Matters:

  • Even cloud-only files (not only stored locally) are recorded here.

  • Investigators can track deleted or moved files that no longer exist on the device.

----------------------------------------------------------------------------------------------------------


3️⃣ OneDrive Logs: Tracking Uploads, Downloads, & File Changes

OneDrive keeps detailed logs of file sync activities in:

%UserProfile%\AppData\Local\Microsoft\OneDrive\logs

These logs store up to 30 days of data and record:

File uploads & downloads

File renames & deletions

Shared file access events


💡 Forensic Insight:

  • Log files can reveal file activity, even if the user deleted local copies.

  • Timestamps in .odl logs can correlate file transfers with other system activity.


----------------------------------------------------------------------------------------------------------


4️⃣ OneDrive for Business: Additional Registry Artifacts

Users with OneDrive for Business (Microsoft 365) will have a separate registry key:


NTUSER\Software\Microsoft\OneDrive\Accounts\Business1

This key includes:

  • UserFolder: Location of root of OneDrive local file storage

  • UserEmail: Email tied to Microsoft cloud account

  • LastSignInTime: Date and time of last authentication (Unix epoch time)

  • ClientFirstSignInTimestamp: Time of first authentication of the account (Unix epoch time)

  • SPOResourceID: SharePoint URL for OneDrive instance

💡 Why This Matters:

  • Business OneDrive accounts store work-related data—a key forensic focus.

  • The SPOResourceID can link OneDrive for Business files to a SharePoint instance.


----------------------------------------------------------------------------------------------------------


5️⃣ Investigating Shared Files & Synced Data from Other Users

OneDrive supports file sharing and folder synchronization across multiple accounts. Shared folders are tracked under:


NTUSER\Software\Microsoft\OneDrive\Accounts\Personal\Tenants
NTUSER\Software\Microsoft\OneDrive\Accounts\Business1\Tenants

  • This key logs shared folders synced to OneDrive.

  • It tracks files shared via Microsoft Teams & SharePoint.


💡 Forensic Insight:

  • Shared folders may not be stored in the default OneDrive folder.

  • Investigators should check all Tenant folders to avoid missing critical evidence.


----------------------------------------------------------------------------------------------------------


6️⃣ SyncEngines Key: Advanced OneDrive Tracking

A final high-value artifact for OneDrive investigations is:


NTUSER\Software\SyncEngines\Providers\OneDrive

It contains:

  • MountPoint → Local file storage location (useful for tracking shared folders)

  • UrlNamespace → Specifies whether the folder belongs to OneDrive, SharePoint, or Teams

  • LastModifiedTime → The last time the folder was updated


💡 Why This Matters:

  • Identifies all folders being synced, even if they are not in the default OneDrive location.

  • Correlates data across Microsoft cloud services (OneDrive, Teams, SharePoint).


----------------------------------------------------------------------------------------------------------


7️⃣ Tracking OneDrive Web Access (Cloud-Only Activity)

If a user accessed OneDrive through a web browser (instead of the local app), artifacts may appear in:


  • Browser History (Edge, Chrome, Firefox)

  • Windows Event Logs

  • Cloud Access Logs (if available from Microsoft 365)


OneDrive web access URLs look like this:


https[:]/onedrive.live.com/?cid=310ff47e40c97767&id=310ff47e40c97767!145750
💡 Forensic Insight:

  • The cid value in the URL matches the UserCid in registry keys—helpful for tracking multiple accounts.

  • The resid parameter refers to specific files or folders accessed via the web client.


----------------------------------------------------------------------------------------------------------

🛑 Key Challenges in OneDrive Forensics


🚨 1. Cloud-Only Files May Not Be Stored Locally

  • Files accessed via "Files on Demand" may never be fully downloaded.

  • Investigators must analyze metadata & sync logs to track cloud-only data.


🚨 2. Remote Deletions Can Hide Evidence

  • Files deleted in OneDrive sync across all devices.

  • Investigators may need Volume Shadow Copies or Microsoft 365 logs to recover data.


🚨 3. Personal & Business OneDrive Accounts Can Be Mixed

  • Users often log into both accounts on the same system.

  • Check registry keys to differentiate personal vs. business data.

----------------------------------------------------------------------------------------------------------


OneDrive as a Crucial Forensic Artifact

Microsoft OneDrive leaves behind substantial forensic evidence, even for files that no longer exist locally.


We will explore more about OneDrive in the next article(Advanced OneDrive Forensics: Investigating Cloud-Only Files & Synchronization) , so stay tuned! See you in the next one.

--------------------------------------------Dean-------------------------------------------------


26 views0 comments

Recent Posts

See All

コメント

bottom of page