Box is one of the most forensic-friendly cloud storage applications, offering extensive logging, locally cached files, and SQLite databases that track user activity and file metadata. This makes it a goldmine for forensic investigators looking to analyze user interactions, deleted files, and cloud-stored documents.
-------------------------------------------------------------------------------------------------------------
1️⃣ Box Local Artifacts: Logs, Databases, and Cache Files
🔍 Where Does Box Store Metadata and Logs Locally?
File/Database | Location | Purpose |
sync.db | %AppData%\Local\Box\Box\data\ | Tracks both locally cached & cloud-only files |
streemsfs.db | %AppData%\Local\Box\Box\data\ | Lists cached files stored locally |
metrics.db | %AppData%\Local\Box\Box\data\ | Stores Box login email & authentication details |
Box_Streem logs | %AppData%\Local\Box\Box\logs\ | Detailed user activity logs (file access, sync) |
.cache | %UserProfile%\Box\ | Stores offline & temp cached files |
📌 Forensic Use:
✅ Recover cached files, including cloud-only items accessed offline
✅ Track user logins and Box authentication details
✅ Extract timestamps and SHA1 hashes for forensic verification
-------------------------------------------------------------------------------------------------------------
2️⃣ Understanding Box's NTFS Reparse Points & Virtual File System
🔍 How Does Box Handle Cloud-Only Files?
Box uses NTFS reparse points to create a virtualized file system, meaning:
Files appear local, but actual content may be in the cloud.
Interacting with a file triggers a real-time download.
Box Drive contents won’t be visible in traditional forensic imaging.
📍 Forensic Implications:
🔸 Standard disk imaging won’t capture Box cloud files if they are not cached.
🔸 Investigators must access live systems or parse Box databases to extract metadata.
🔸 Offline files can be recovered from the cache directory.
-------------------------------------------------------------------------------------------------------------
3️⃣ Extracting Metadata from Box SQLite Databases
🔍 1. Analyzing sync.db: The Box File Tracker
*******Deleted items in the Box Drive trash folder are not tracked in this database.
📍 Located at:
%AppData%\Local\Box\Box\data\sync.db
Column | Description |
name | Original filename |
checksum | SHA1 hash of file |
size | File size (bytes) |
content_created_at | File creation time (Unix epoch) |
content_updated_at | Last modification time (Unix epoch) |
parent_item_id | Parent folder, which can be cross-referenced with the box_id field to find folder name |
Note:
Timestamps do not appear to update as expected when interfacing with Box on the website via a browser. As an example, content_created_at and content_updated_at are both set to the original file modification time when the file is added via the browser. When using Windows File Explorer to interact with files, timestamps update as expected.
Useful fields from the local_item table:
. inode: Universal ID assigned to file, which can be useful for quickly matching with other databases like streemsfs.db
📌 Forensic Use:
✅ Identify cloud-only files and locally stored files
✅ Verify file integrity using SHA1 checksums
✅ Correlate file timestamps with user activity
🔍 2. Analyzing streemsfs.db: Track locally Cached File files
********Both offline and online (cloud) items are tracked in the database, but deleted items in the Box Drive trash folder are not tracked within this database.
📍 Located at:
%AppData%\Local\Box\Box\data\streemsfs.db
Column | Description |
name | Cached file name |
createdAtTimestamp | File creation time |
modifiedAtTimestamp | Last modified time |
accessedAtTimestamp | Last accessed time (when file was opened from Box Drive) |
markForOffline | Files marked for permanent offline use |
inodeId | Identifier used to determine parent folders and as a foreign key in cachefiles table |
parentInodeId: | inodeId for parent folder |
folderFetchTimestamp: | When folder content was last synchronized with cloud |
Note:
Timestamps do not appear to update as expected when interfacing with Box on the website via a browser.
As an example, createdAtTimestamp, modifiedAtTimestamp, and accessedAtTimestamp are all set to the original file modification time.
And the accessedAtTimestamp does not update when the file is solely accessed via the browser. When using Windows File Explorer, timestamps update as expected in the database, with the exception that access
Important tables to Look for:
Cachefiles, fsnodes
cacheDataId: Filename within the Box cache folder of the locally saved file
size: File size of cached file (in bytes)
inodeId: Identifier used as a foreign key in fsnodes table
age: Time file was cached; a “0” value means not yet cached (Unix epoch time)
As you can see screenshot above correlating data one by one b/w them is difficult task to automate the, we will be use freely available script called streemBOXlite
This can be particularly helpful if there are many files cached on the system You should run this script using Python3.
Command:
akash@DESKTOP-DCLRDM4:/mnt/c/Users/Admin/Downloads$ python3 streemBOXlite.py -p /mnt/d/streem/ -c -o /mnt/c/Users/Admin/Downloads -v -q
Output:
📌 Forensic Use:
✅ Determine what files were accessed and stored locally
✅ Track offline file synchronization with Box cloud
✅ Recover deleted or previously cached files
🔍 3. Extracting User Login & Activity from metrics.db
📍 Located at:
%AppData%\Local\Box\Box\data\metrics.db
Column | Description |
payload | Stores Box login email & user authentication data |
📌 Forensic Use:
✅ Identify Box accounts linked to the system
✅ Correlate login activity with user behavior
✅ Investigate unauthorized access to enterprise Box accounts
-------------------------------------------------------------------------------------------------------------
4️⃣ Investigating Box Log Files (Box_Streem logs)
🔍 Box logs detailed user actions, including:
✅ File uploads & downloads
✅ Folder structure changes
✅ Synchronization errors
✅ Authentication attempts
📍 Log Location:
%AppData%\Local\Box\Box\logs\
📌 Forensic Use:
✅ Track when files were accessed or modified
✅ Reconstruct user file activity timeline
✅ Identify anomalous file access patterns
-------------------------------------------------------------------------------------------------------------
5️⃣ Recovering Deleted & Cached Files from Box Drive
🔍 How to Recover Deleted Files from Box?
Locally Deleted Files → Found in Recycle Bin
Box Cloud Trash → Retains deleted files for 30-120 days
Cached Files → Found in %UserProfile%\Box\.cache
📍 Forensic Strategy:
1️⃣ Extract file metadata from sync.db & streemsfs.db
2️⃣ Search .cache for offline versions of deleted files
3️⃣ Check Box logs for file deletion records
4️⃣ Retrieve deleted files from Box Cloud if enterprise logs are available
📌 Forensic Use:
✅ Recover previously cached Box files even if deleted from the cloud
✅ Identify sensitive documents removed from the system
✅ Correlate file deletion with user activity logs
-------------------------------------------------------------------------------------------------------------
🚀 Summary: Why Box is a Goldmine for Forensics
✔ Tracks file hashes (SHA1), timestamps, and offline/online status
✔ Maintains detailed logs for file access, sync, and user activity
✔ Stores locally cached files even if deleted from the cloud
✔ Allows forensic reconstruction of user interactions with cloud storage
As organizations increasingly rely on Box for cloud storage and collaboration, understanding Box forensics is essential for digital investigations. Box provides detailed activity logs, file versioning, and sharing records, which can help forensic analysts track user actions, detect unauthorized access, and reconstruct file history.
🔍 Stay proactive, test forensic scenarios, and refine your analysis techniques—because every digital action leaves a trace! 🚀
ความคิดเห็น