Cloud storage has evolved beyond simple local folder synchronization. Newer technologies, like Files On-Demand and Smart Sync, allow users to interact with cloud-stored files without downloading them. This presents new forensic challenges since not all files exist locally, and standard filesystem artifacts may be missing.
We’ll cover:
✅ How OneDrive’s new sync model affects forensic investigations
✅ Tracking cloud-only files & deleted data
✅ Using OneDrive’s forensic artifacts to recover missing evidence
-------------------------------------------------------------------------------------------------------------
1️⃣ Understanding "Hydrated" vs. "Dehydrated" Files in OneDrive
Microsoft OneDrive introduced Files On-Demand in Windows 10 (version 1709), allowing users to view all cloud-stored files without downloading them.
📌 OneDrive File Status Icons:
🌥 Blue Cloud: File is only in the cloud (dehydrated)
✅ Green Check (Hollow): File was opened recently and cached locally
✅ Green Check (Filled): File is fully downloaded and always available locally
💡 Why This Matters:
Some files may have never existed on the local system (dehydrated).
A forensic image may miss cloud-only files unless OneDrive logs or sync databases are analyzed.
-------------------------------------------------------------------------------------------------------------
2️⃣ Where to Find OneDrive Artifacts
Even if files are not stored locally, OneDrive leaves forensic traces in multiple locations:
📍 OneDrive Sync Folder (Locally Stored Files)
%UserProfile%\OneDrive\💡 Includes only hydrated (downloaded) files. Cloud-only files are missing.
📍 OneDrive Settings & Metadata
%UserProfile%\AppData\Local\Microsoft\OneDrive\settings\Personal\💡 Contains sync logs, database files, and user metadata.
📍 OneDrive Logs (File Sync History)
%UserProfile%\AppData\Local\Microsoft\OneDrive\logs\💡 Records uploads, downloads, and file deletions. Stores up to 30 days of logs.
📍 OneDrive Registry Keys (User Account & Sync Details)
NTUSER\Software\Microsoft\OneDrive\Accounts\Personal💡 Tracks the OneDrive sync folder location and last authentication time.
-------------------------------------------------------------------------------------------------------------
3️⃣ Investigating Cloud-Only Files Using OneDrive Sync Database
📌 SyncEngineDatabase.db (SQLite) – The Most Important OneDrive Artifact
Since March 2023, Microsoft migrated OneDrive’s file-tracking system to SQLite.
The SyncEngineDatabase.db file stores:
✅ Cloud-only file records (even if never downloaded)
✅ File metadata (timestamps, size, folder structure)
✅ Synchronization status (e.g., cloud-only, synced, shared)
✅ quickXorHash values (instead of SHA1) for file integrity
%UserProfile%\AppData\Local\Microsoft\OneDrive\settings\Personal\SyncEngineDatabase.db
Key Tables in SyncEngineDatabase.db
🔹 od_ClientFile_Records (Tracks OneDrive Files)
Column | Description |
fileName | Name of the file |
resourceID | Unique identifier for each file |
lastChange | Last modification time (Unix Epoch format) |
size | File size |
fileStatus | Synchronization status |
sharedItem | Indicates if the file was shared |
localHashDigest | quickXorHash value for file integrity |
📌 File Status Codes:
2 = Available Locally (Downloaded)
5 = Excluded (Ignored by sync)
6 = Not Synced
8 = Available Online Only (Cloud-only)
💡 Forensic Use:
Identifies files that only exist in the cloud (fileStatus = 8).
Tracks deleted or moved files by correlating with OneDrive logs.
🔹 od_ClientFolder_Records (Tracks OneDrive Folders)
Column | Description |
folderName | Name of the folder |
resourceID | Unique folder identifier |
folderStatus | Sync status (Synced, Not Synced, etc.) |
sharedItem | Indicates if the folder was shared |
📌 Folder Status Codes:
9 = Synced
10 = Not Synced
11 = Not Linked
-------------------------------------------------------------------------------------------------------------
4️⃣ Investigating Deleted OneDrive Files
When a user deletes a file, it disappears from all synced devices and the cloud.
However, OneDrive and Windows keep hidden traces.
💾 Recovering Deleted OneDrive Files
✅ Option 1: Windows Recycle Bin
Locally deleted OneDrive files may still be in:
C:\$Recycle.Bin\✅ Option 2: OneDrive Recycle Bin (Cloud-Based Recovery)
OneDrive Personal: Deleted files stored for 30 days
OneDrive for Business: Deleted files stored for 93 days
URL to check deleted OneDrive files:
✅ Option 3: OneDrive Sync Logs & SafeDelete.db
SafeDelete.db (SQLite) stores deleted file records before syncing.
Deleted file traces may persist in logs & databases before being purged.
📍 Location:
%UserProfile%\AppData\Local\Microsoft\OneDrive\settings\Personal\SafeDelete.db
💡 Forensic Use:
Tracks who deleted a file and when.
Identifies files deleted long ago using SQLite carving techniques.
-------------------------------------------------------------------------------------------------------------
5️⃣ Tracking Shared Files & External Data Sources
OneDrive allows users to sync shared folders from other users, Microsoft Teams, or SharePoint.
📌 Registry Key for Shared Folders (Tenants)
NTUSER\Software\Microsoft\OneDrive\Accounts\Personal\Tenants💡 Tracks external data sources, including:
✅ Files shared from other OneDrive accounts
✅ SharePoint & Teams folder synchronization
📌 Forensic Use:
Investigators must check this key to avoid missing shared folders stored outside the default OneDrive folder.
-------------------------------------------------------------------------------------------------------------
6️⃣ Locating OneDrive Log Files & Understanding Their Purpose
📍 Log File Location:
%UserProfile%\AppData\Local\Microsoft\OneDrive\logs\OneDrive logs track interactions between the local system and the cloud, recording:
✅ File synchronization events (uploads, downloads, deletions)
✅ File modifications (renames, moves, metadata changes)
✅ Cloud-only file interactions (Files On-Demand downloads, file access timestamps)
📌 Common OneDrive Log File Extensions
File Extension | Purpose |
.odl | Main log file tracking file activities |
.odlsent | Logs of files successfully synced |
.odlgz | Compressed logs (older entries) |
.aodl | Advanced logging (for internal Microsoft use) |
📌 Important Notes:
Log filenames are anonymized (filenames replaced with obfuscated values).
Older OneDrive versions used ObfuscationStringMap.txt to decode filenames, but newer versions encrypt logs with Bcrypt (key stored in general.keystore).
🔍 Forensic Tools to Parse OneDrive Logs:
OneDriveExplorer (by Brian Maloney)
Python scripts by Yogesh Khatri
Both tools are not working for me at the moment. I am still investigating, and as soon as I find a better method to parse the logs, I will update the article. Stay tuned!
------------------------------------------------------------------------------------------------------------
7️⃣ Investigating OneDrive File Activity Using .ODL Logs
📌 OneDrive logs are essential for tracking:
✅ File uploads & downloads (date, time, file size)
✅ File deletions & renames
✅ Cloud-only file access (even if the file never existed locally)
🔹 Recovering Deleted File Activity from .ODL Logs
Even after a file is deleted from OneDrive, remnants remain in .ODL logs.
Look for file delete events (Deleted column in OneDriveExplorer output).
Correlate timestamps with Windows Recycle Bin logs ($Recycle.Bin).
Check cloud-based OneDrive Recycle Bin (retains files for 30–93 days).
🔍 Cross-reference OneDrive logs with:
Windows Event Logs (tracks OneDrive file modifications)
Volume Shadow Copies (may store previous versions of OneDrive files)
-------------------------------------------------------------------------------------------------------------
OneDrive’s Setting Important File:
-------------------------------------------------------------------------------------------------------------
OneDrive’s Evolving Forensic Challenges
Microsoft OneDrive has transformed digital forensics, requiring investigators to look beyond standard filesystem artifacts.
We will explore more about OneDrive in the next article(Investigating OneDrive for Business: Advanced Forensics & Audit Logs), so stay tuned! See you in the next one.
Comentarios