Google is known for its unique data storage formats, and Google Drive for Desktop is no exception. Unlike JSON or XML, Google Drive stores critical metadata in Protocol Buffers (protobufs)—a binary format that is highly efficient but difficult to interpret.
🚀 Key Topics:
✅ What are Protocol Buffers (protobufs)?
✅ How to decode protobufs in Google Drive databases
✅ Investigating Google Drive’s local file cache
✅ Mapping cached files to their original filenames
----------------------------------------------------------------------------------------------------------
1️⃣ Understanding Protocol Buffers (protobufs) in Google Drive
🔍 What Are Protocol Buffers?
Google developed Protocol Buffers (protobufs) as a lightweight, efficient data format for storing and transmitting structured data.
Unlike JSON or XML, protobufs store data in binary, making them:
✅ Faster to read/write
✅ More space-efficient
✅ Difficult for humans to interpret
📌 Where Are Protobufs Used in Google Drive?
Several key Google Drive databases use protobufs for storing file metadata:
Database | Table | Protobuf Field | Description |
metadata_sqlite_db | item_properties | content-entry | Stores cached file identifiers |
metadata_sqlite_db | properties | account_settings | Stores Google account & sync settings |
----------------------------------------------------------------------------------------------------------
2️⃣ Decoding Protobufs Using CyberChef
Protobufs are not human-readable. To extract valuable information, we need to decode them manually using tools like CyberChef.
🛠️ Step-by-Step Protobuf Decoding (Using CyberChef)
1️⃣ Extract binary data from the content-entry or account_settings field in metadata_sqlite_db.
2️⃣ Convert Hex to Binary using CyberChef’s "From Hex" operation.
3️⃣ Use the "Protobuf Decode" function in CyberChef to parse the binary4️⃣ Extract file identifiers, hashes, and metadata from the decoded protobuf.
Example:
📌 Forensic Use:
✅ Recover filenames & hashes from cached files
✅ Extract Google account details from account_settings
✅ Tie cached files to their metadata in Google Drive
----------------------------------------------------------------------------------------------------------
3️⃣ Collecting Google Drive’s Local Content Cache
Since Google Drive operates as a virtual drive, forensic imaging of the system does not capture cloud-only files. Fortunately, Google Drive caches local copies of some files, allowing investigators to recover deleted or cloud-only data.
📍 Cache Folder Location:
C:\Users\<user account>\AppData\Local\Google\DriveFS\<account ID>\content_cache\
Cached files are renamed and lack file extensions.
Files remain in cache even after deletion from Google Drive.
Cached thumbnails and previews may persist for longer periods.
📌 Forensic Use: (Using DB Browser)
✅ Recover cloud-only files that were previously accessed
✅ Extract deleted files from cache (even if removed from Google Drive)
✅ Analyze thumbnails and previews for additional evidence
----------------------------------------------------------------------------------------------------------
4️⃣ Mapping Cached Files to Original Filenames(Investigating Cache Process)
Since cached files lose their original names, we must rebuild their filenames using metadata from metadata_sqlite_db.
📍 Key Database: metadata_sqlite_db
📌 Tables of Interest:
Table | Field | Description |
items | local_title | Original filename |
items | file_size | File size (used for verification) |
item_properties | content-entry | Maps cached files to their original names |
🛠️ Step-by-Step Process to Rebuild Filenames
1️⃣ Review items table to identify files of interest
2️⃣Check item properties to see if cached (content-entry property)
3️⃣ Parse content-entry protobuf to identify filename on disk
4️⃣ Search content_cache folder for that filename and double-check with item file size information
📌 Forensic Use:
✅ Link cached files to their original names & locations
✅ Recover hidden files no longer visible in Google Drive
✅ Extract additional forensic metadata (e.g., file hash, timestamps)
----------------------------------------------------------------------------------------------------------
5️⃣ File Type Identification Using Header Analysis
Since cached files lack extensions, we must identify their types using header analysis.
🔍 Common File Headers (Magic Numbers)
File Type | Magic Number (Hex) |
JPEG Image | FF D8 FF |
PNG Image | 89 50 4E 47 |
PDF Document | 25 50 44 46 |
ZIP Archive | 50 4B 03 04 |
📌 Tools for Header Analysis:
Hex Editors (HxD, WinHex)
Forensic Suites (Autopsy, FTK, EnCase)
📌 Forensic Use:
✅ Determine file type even without extensions
✅ Identify potentially malicious files (e.g., renamed executables)
✅ Cross-check file headers against known malware signatures
----------------------------------------------------------------------------------------------------------
We will explore more about Google Drive in the next article(Automating Google Drive Forensics: Tools & Techniques) , so stay tuned! See you in the next one.
Comments