Cloud storage has evolved beyond simple local folder synchronization. Newer technologies, like Files On-Demand and Smart Sync, allow users to interact with cloud-stored files without downloading them. This presents new forensic challenges since not all files exist locally, and standard filesystem artifacts may be missing.
We’ll cover:
✅ How OneDrive’s new sync model affects forensic investigations
✅ Tracking cloud-only files & deleted data
✅ Using OneDrive’s forensic artifacts to recover missing evidence
-------------------------------------------------------------------------------------------------------------
1️⃣ Understanding "Hydrated" vs. "Dehydrated" Files in OneDrive
Microsoft OneDrive introduced Files On-Demand in Windows 10 (version 1709), allowing users to view all cloud-stored files without downloading them.
📌 OneDrive File Status Icons:
🌥 Blue Cloud: File is only in the cloud (dehydrated)
✅ Green Check (Hollow): File was opened recently and cached locally
✅ Green Check (Filled): File is fully downloaded and always available locally
💡 Why This Matters:
Some files may have never existed on the local system (dehydrated).
A forensic image may miss cloud-only files unless OneDrive logs or sync databases are analyzed.
-------------------------------------------------------------------------------------------------------------
2️⃣ Where to Find OneDrive Artifacts
Even if files are not stored locally, OneDrive leaves forensic traces in multiple locations:
📍 OneDrive Sync Folder (Locally Stored Files)
%UserProfile%\OneDrive\💡 Includes only hydrated (downloaded) files. Cloud-only files are missing.
📍 OneDrive Settings & Metadata
%UserProfile%\AppData\Local\Microsoft\OneDrive\settings\Personal\💡 Contains sync logs, database files, and user metadata.
📍 OneDrive Logs (File Sync History)
%UserProfile%\AppData\Local\Microsoft\OneDrive\logs\💡 Records uploads, downloads, and file deletions. Stores up to 30 days of logs.
📍 OneDrive Registry Keys (User Account & Sync Details)
NTUSER\Software\Microsoft\OneDrive\Accounts\Personal💡 Tracks the OneDrive sync folder location and last authentication time.
-------------------------------------------------------------------------------------------------------------
3️⃣ Investigating Cloud-Only Files Using OneDrive Sync Database
📌 SyncEngineDatabase.db (SQLite) – The Most Important OneDrive Artifact
Since March 2023, Microsoft migrated OneDrive’s file-tracking system to SQLite.
The SyncEngineDatabase.db file stores:
✅ Cloud-only file records (even if never downloaded)
✅ File metadata (timestamps, size, folder structure)
✅ Synchronization status (e.g., cloud-only, synced, shared)
✅ quickXorHash values (instead of SHA1) for file integrity
%UserProfile%\AppData\Local\Microsoft\OneDrive\settings\Personal\SyncEngineDatabase.db
Key Tables in SyncEngineDatabase.db
🔹 od_ClientFile_Records (Tracks OneDrive Files)
Column | Description |
fileName | Name of the file |
resourceID | Unique identifier for each file |
lastChange | Last modification time (Unix Epoch format) |
size | File size |
fileStatus | Synchronization status |
sharedItem | Indicates if the file was shared |
localHashDigest | quickXorHash value for file integrity |
📌 File Status Codes:
2 = Available Locally (Downloaded)
5 = Excluded (Ignored by sync)
6 = Not Synced
8 = Available Online Only (Cloud-only)
💡 Forensic Use:
Identifies files that only exist in the cloud (fileStatus = 8).
Tracks deleted or moved files by correlating with OneDrive logs.
🔹 od_ClientFolder_Records (Tracks OneDrive Folders)
Column | Description |
folderName | Name of the folder |
resourceID | Unique folder identifier |
folderStatus | Sync status (Synced, Not Synced, etc.) |
sharedItem | Indicates if the folder was shared |
📌 Folder Status Codes:
9 = Synced
10 = Not Synced
11 = Not Linked
-------------------------------------------------------------------------------------------------------------
4️⃣ Investigating Deleted OneDrive Files
When a user deletes a file, it disappears from all synced devices and the cloud.
However, OneDrive and Windows keep hidden traces.
💾 Recovering Deleted OneDrive Files
✅ Option 1: Windows Recycle Bin
Locally deleted OneDrive files may still be in:
C:\$Recycle.Bin\✅ Option 2: OneDrive Recycle Bin (Cloud-Based Recovery)
OneDrive Personal: Deleted files stored for 30 days
OneDrive for Business: Deleted files stored for 93 days
URL to check deleted OneDrive files:
✅ Option 3: OneDrive Sync Logs & SafeDelete.db
SafeDelete.db (SQLite) stores deleted file records before syncing.
Deleted file traces may persist in logs & databases before being purged.
📍 Location:
%UserProfile%\AppData\Local\Microsoft\OneDrive\settings\Personal\SafeDelete.db
💡 Forensic Use:
Tracks who deleted a file and when.
Identifies files deleted long ago using SQLite carving techniques.
-------------------------------------------------------------------------------------------------------------
5️⃣ Tracking Shared Files & External Data Sources
OneDrive allows users to sync shared folders from other users, Microsoft Teams, or SharePoint.
📌 Registry Key for Shared Folders (Tenants)
NTUSER\Software\Microsoft\OneDrive\Accounts\Personal\Tenants💡 Tracks external data sources, including:
✅ Files shared from other OneDrive accounts
✅ SharePoint & Teams folder synchronization
📌 Forensic Use:
Investigators must check this key to avoid missing shared folders stored outside the default OneDrive folder.
-------------------------------------------------------------------------------------------------------------
6️⃣ Locating OneDrive Log Files & Understanding Their Purpose
📍 Log File Location:
%UserProfile%\AppData\Local\Microsoft\OneDrive\logs\OneDrive logs track interactions between the local system and the cloud, recording:
✅ File synchronization events (uploads, downloads, deletions)
✅ File modifications (renames, moves, metadata changes)
✅ Cloud-only file interactions (Files On-Demand downloads, file access timestamps)
📌 Common OneDrive Log File Extensions
File Extension | Purpose |
.odl | Main log file tracking file activities |
.odlsent | Logs of files successfully synced |
.odlgz | Compressed logs (older entries) |
.aodl | Advanced logging (for internal Microsoft use) |
📌 Important Notes:
Log filenames are anonymized (filenames replaced with obfuscated values).
Older OneDrive versions used ObfuscationStringMap.txt to decode filenames, but newer versions encrypt logs with Bcrypt (key stored in general.keystore).
🔍 Forensic Tools to Parse OneDrive Logs:
OneDriveExplorer (by Brian Maloney)
Python scripts by Yogesh Khatri
A big thank you to Brian Maloney for reaching out to me regarding issue i said that tool is not working for me. I must admit, I had forgotten to recheck it. Today, I downloaded the latest version of OneDrive Explorer from the github, and it appears to be working perfectly. The tool is now parsing the .odl logs as expected, and OneDrive Explorer is successfully displaying the data.
Parsing ODL logs getting output in csv
------------------------------------------------------------------------------------------------------------
7️⃣ Investigating OneDrive File Activity Using .ODL Logs
📌 OneDrive logs are essential for tracking:
✅ File uploads & downloads (date, time, file size)
✅ File deletions & renames
✅ Cloud-only file access (even if the file never existed locally)
🔹 Recovering Deleted File Activity from .ODL Logs
Even after a file is deleted from OneDrive, remnants remain in .ODL logs.
Look for file delete events (Deleted column in OneDriveExplorer output).
Correlate timestamps with Windows Recycle Bin logs ($Recycle.Bin).
Check cloud-based OneDrive Recycle Bin (retains files for 30–93 days).
🔍 Cross-reference OneDrive logs with:
Windows Event Logs (tracks OneDrive file modifications)
Volume Shadow Copies (may store previous versions of OneDrive files)
-------------------------------------------------------------------------------------------------------------
OneDrive’s Setting Important File:
-------------------------------------------------------------------------------------------------------------
OneDrive’s Evolving Forensic Challenges
Microsoft OneDrive has transformed digital forensics, requiring investigators to look beyond standard filesystem artifacts.
We will explore more about OneDrive in the next article(Investigating OneDrive for Business: Advanced Forensics & Audit Logs), so stay tuned! See you in the next one.
Comments