Automating Google Drive Forensics: Tools & Techniques

Investigating Google Drive for Desktop can be a time-consuming process, especially when dealing with protobuf-encoded metadata and cached files. Fortunately, open-source forensic tools like gMetaParse and DriveFS Sleuth make the job significantly easier.

-------------------------------------------------------------------------------------------------------------

1️⃣ Automating Metadata Extraction with gMetaParse

🔍 What is gMetaParse?

Developed by forensic researcher, gMetaParse is a Python-based tool that automates the extraction of metadata from Google Drive’s metadata_sqlite_db database.

📌 Key Features of gMetaParse:

✅ Extracts metadata for all files and folders in Google Drive

✅ Identifies cached files stored locally

✅ Detects deleted (trashed) files

✅ Provides CSV, JSON, and GUI output

📍 Installation & Usage:g

MetaParse is available as a Python script or pre-compiled .exe. It can be run via command-line or with a graphical user interface (GUI).

🛠️ Step-by-Step: Running gMetaParse

1️⃣ Open a command prompt and navigate to the gMetaParse folder.

2️⃣ Run the following command:

gMetaParse.exe -f "C:\Users\Akash\AppData\Local\Google\DriveFS\<account_ID>\metadata_sqlite_db"-d "C:\Users\Akash\AppData\Local\Google\DriveFS\<account_ID>\content_cache" -o "C:\Users\Akash\Downloads\GoogleDriveFS.csv" -g

📌 Explanation:

✅ -f → Points to the Google Drive metadata database

✅ -d → Specifies the cache folder location

✅ -o → Outputs results in CSV format

✅ -g → Launches GUI for interactive file browsing

-------------------------------------------------------------------------------------------------------------

2️⃣ Visualizing Google Drive Data with gMetaParse GUI

📌 Why Use the GUI?While CSV/JSON outputs are useful for analysis,

gMetaParse’s graphical interface (GUI) makes it easier to navigate large file structures and visually identify deleted or cached files.

✅ Tree structure visualization of Google Drive contents

✅ Color-coded files:

• 🟥 Red → Deleted (trashed) files

• 🟩 Green → Cached (available locally)

  

  ✅ Detailed metadata view when clicking a file

  

✅ Quickly identify deleted files and restore local copies

✅ Filter & search files using metadata

✅ Export all metadata for offline analysis

-------------------------------------------------------------------------------------------------------------

3️⃣ Extracting Google Drive Metadata with DriveFS Sleuth

🔍 What is DriveFS Sleuth?

DriveFS Sleuth is an advanced Google Drive forensics tool developed by Amged Wageh and Ann Bransom. It specializes in decoding protobuf-encoded data and recovering MD5 hashes from Google Drive metadata.

📌 Key Features of DriveFS Sleuth:

✅ Parses metadata_sqlite_db, extracting file metadata, timestamps, and hashes

✅ Recovers MD5 hashes for locally stored files

✅ Extracts account information (Google email, username, settings)

✅ Provides interactive HTML reports

📍 Installation & Usage:

🛠️ Step-by-Step: Running DriveFS Sleuth

1️⃣ Install Python 3 (if not already installed).

2️⃣ Download DriveFS Sleuth from GitHub.

3️⃣ Run the following command:

python3 drivefs_sleuth.py /mnt/c/Users/Akash/AppData/Local/Google/DriveFS --html -o /mnt/c/Users/Akash/Downloads/GoogleDriveFS.html

-------------------------------------------------------------------------------------------------------------

4️⃣ Investigating Google Workspace Logs (Business & Enterprise)

🔍 Why Are Google Workspace Logs Important?

For enterprise environments, Google Workspace logs provide a detailed audit trail of user activity, including:

✅ File uploads, downloads, modifications

✅ File sharing (internal & external users)

✅ Deleted items & recovery attempts

✅ Login history & suspicious access attempts

1️⃣ Login to Google Admin Console (admin.google.com).

2️⃣ Navigate to Reports > Audit > Drive Log

3️⃣ Filter logs based on event type, user, date range, or filename.

4️⃣ Export logs to CSV for offline analysis.

-------------------------------------------------------------------------------------------------------------

5️⃣ Filtering Google Workspace Logs for Investigation

📌 Key Log Categories & Event Names:

📌 Forensic Use:

✅ Identify suspicious file sharing (e.g., external link creation)

✅ Track deleted files & their recovery attempts

✅ Correlate file access with IP addresses & user accounts

-------------------------------------------------------------------------------------------------------------

6️⃣ Investigating File Sharing & External Access

📌 How to Identify External File Sharing:

✅ Look for AnonymousLinkCreated → Indicates public file sharing

✅ Check IP addresses in logs → Identify external access

✅ Cross-reference Google Drive metadata → Find locally cached shared files

📍 Example: Investigating an External File Share

1️⃣ Search logs for AnonymousLinkCreated

2️⃣ Identify which file was shared and by which user

3️⃣ Check logs for FileDownloaded → Determine if the file was accessed externally

4️⃣ Extract IP address & timestamps → Track external access

-------------------------------------------------------------------------------------------------------------

Conclusion

Google Drive forensics plays a crucial role in modern digital investigations, providing insights into file synchronization, access history, deletions, and metadata changes. By analyzing local artifacts, cloud logs, and sync databases, forensic analysts can reconstruct user activity and track evidence even after files have been deleted or modified.

Understanding key artifacts such as Google Drive logs, SQLite databases, and API activity allows investigators to uncover who accessed what files, when, and from where—a critical aspect of forensic timelines.

-----------------------------------------------Dean-----------------------------------------------