Dropbox has long been a challenging cloud storage service to investigate due to encrypted databases, hidden caches, and complex storage mechanisms. However, recent changes in Dropbox’s architecture have introduced unencrypted metadata sources, making forensic analysis more effective.
🚀 Key Topics Covered:
✅ Locating and analyzing Dropbox metadata & configuration files.
✅ Recovering deleted files from cache and database records
✅ Investigating Dropbox sync activity and user file interactions
✅ Extracting evidence from SQLite databases & JSON logs
-------------------------------------------------------------------------------------------------------------
1️⃣ Locating Dropbox Artifacts on Windows
📌 Primary Dropbox Data Locations
Artifact | Location | Purpose |
Local Dropbox Folder | %UserProfile%\Dropbox\ | Stores synced files |
Configuration Files | %UserProfile%\AppData\Local\Dropbox\info.json | Contains Dropbox settings & sync path |
Cache Folder | %UserProfile%\Dropbox\.dropbox.cache\ | Stores recently deleted & cloud-only files |
Sync Databases | %UserProfile%\AppData\Local\Dropbox\instance1\ | Tracks file sync activity |
Registry Keys | SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager\Dropbox | Identifies sync location & settings |
📌 Forensic Use:
✅ Identify Dropbox usage even if uninstalled
✅ Recover deleted files from the cache folder
✅ Find local & cloud-only files
-------------------------------------------------------------------------------------------------------------
2️⃣ Extracting Dropbox Configuration Details
Located at
%UserProfile%\AppData\Local\Dropbox\this JSON file stores:
✅ Sync folder path (customized storage location)
✅ Dropbox Team info (Enterprise accounts)
✅ Subscription type (Basic, Plus, Business, Enterprise)
📌 How to extract data:
1️⃣ Open the file with a JSON viewer
2️⃣ Search for path, is_team, and subscription_type fields
📌 Forensic Use:
✅ Verify Dropbox usage & account type
✅ Identify business accounts with enhanced logging
✅ Locate all synced files on disk
-------------------------------------------------------------------------------------------------------------
3️⃣ Recovering Deleted & Cloud-Only Files
🔍 The .dropbox.cache Folder
📍 Location:
%UserProfile%\Dropbox\.dropbox.cache\
🔍 Purpose:
✅ A hidden folder present in the root of the user's Dropbox file folder. Can contain copies of deleted files not yet purged from the local file store,
✅ Caches cloud-only files accessed recently
✅ Cleared automatically every 3 days
📌 How to recover files:
1️⃣ Check file headers to identify file types
2️⃣ Use forensic tools (e.g., FTK Imager) to analyze deleted file remnants
3️⃣ Correlate timestamps with Dropbox logs to determine deletion events
-------------------------------------------------------------------------------------------------------------
4️⃣ Investigating File Sync & Modification History
🔍 The aggregation.dbx Database
📍 Location:
%UserProfile%\AppData\Local\Dropbox\instance1\✅ Tracks previous file updates to Dropbox storage
✅ Stores full path, timestamp, and user attribution
📌 Forensic Use:
✅ Identify files recently added or modified
✅ Snapshot table******Determine who edited the file (edited_by_me field)*****
✅ Recover deleted or renamed files
🛠 Parsing the Database:
1️⃣ Open with SQLite Viewer
2️⃣ Extract the recent table
3️⃣ Convert JSON entries for easy reading
-------------------------------------------------------------------------------------------------------------
5️⃣ Extracting File Metadata & Starred Items
🔍 The home.db Database
📍 Location:
%UserProfile%\AppData\Local\Dropbox\instance1\
📌 Key Tables:
Table | Field | Purpose |
recents | server_path, timestamp | Last updated files |
starred_items | server_path, is_starred, timestamp | Files marked as "important" |
sfj_resources | server_path, server_fetch_timestamp | Tracks last sync from cloud |
📌 Forensic Use:
✅ Track starred files (user-marked important files)
✅ Determine last synced files from the cloud
✅ Recover previous versions of files
-------------------------------------------------------------------------------------------------------------
6️⃣ Investigating Dropbox Sync History
🔍 The sync_history.db Database
📍 Location:
UserProfile%\AppData\Local\Dropbox\instance1\
✅ Records uploads, downloads, deletions, and modifications
✅ Tracks changes made locally vs. changes from the cloud
📌 Key Fields in sync_history Table:
Field | Purpose |
file_event_type | Type of action (add, delete, edit) |
direction | Upload = Local → Cloud, Download = Cloud → Local |
local_path | Full file path |
timestamp | Time of last activity |
other_user | "1" indicates file owned by another user |
📌 Forensic Use:
✅ Identify if a file was deleted locally or via the cloud
✅ Track external file sharing & downloads
✅ Determine if files were modified before deletion
-------------------------------------------------------------------------------------------------------------
7️⃣ Recovering Hidden Dropbox Files
🔍 The nucleus.sqlite3 Database
📍 Location:
%UserProfile%\AppData\Local\Dropbox\instance1\sync
✅ Stores names of local & cloud-only files
✅ Tracks synced & unsynced files
📌 Key Tables:
Table | Field | Purpose |
local_tree | value | Files currently synced locally |
synced_tree | value | Mirrors local_tree but with extra metadata |
remote_tree | value | Tracks cloud-only files (not synced) |
📌 Forensic Use:
✅ Identify files stored only in the cloud
✅ Recover filenames of deleted cloud files
✅ Determine the last known location of missing files
-------------------------------------------------------------------------------------------------------------
8️⃣ Extracting Thumbnails of Deleted Dropbox Images
🔍 The tray-thumbnails.db Database
📍 Location:
%UserProfile%\AppData\Local\Dropbox\machine_storage
✅ Stores references to to image files once present in Dropbox
✅ Includes metadata on deleted images
📌 Key Fields:
Field | Purpose |
file_name | Name of the image file |
timestamp | Time the thumbnail was created |
📌 Forensic Use:
✅ Recover filenames of deleted images
✅ Identify when images were last accessed or modified
✅ Correlate with file sync logs for evidence reconstruction
-------------------------------------------------------------------------------------------------------------
Extracting icons information
🔍 The icon.db Database
📍 Location:
%UserProfile%\AppData\Local\Dropbox\instance1\
✅ Stores generated icon information, including full file paths.
📌 Key Fields:
Field | Purpose |
file_name | Full file path |
created_time | Likely the creation time of the icon, not the time an item was added to the store (Unix epoch time) |
-------------------------------------------------------------------------------------------------------------
9️⃣ Investigating Dropbox Enterprise & Team Accounts
🔍 Dropbox Business & Enterprise Accounts offer extended logging and audit trails.
✅ Tracks file sharing, modifications, deletions
✅ Identifies file downloads & external access
📌 Forensic Use:
✅ Monitor suspicious file transfers within teams
✅ Track shared links & external file access
✅ Recover deleted files from extended retention policies
🛠 How to Access Dropbox Business Logs:
1️⃣ Login to Dropbox Admin Console
2️⃣ Navigate to Reports > Activity Logs
3️⃣ Filter logs by event type (file downloaded, shared, deleted, etc.)
4️⃣ Export logs in CSV format for offline analysis
-------------------------------------------------------------------------------------------------------------
🔎 Summary & Forensic Workflow
✅ Step 1: Identify Dropbox installation (check info.json, registry keys, and instance1 folder).
✅ Step 2: Extract file metadata (home.db, aggregation.dbx).
✅ Step 3: Recover deleted files (.dropbox.cache, sync_history.db).
✅ Step 4: Track cloud-only & unsynced files (nucleus.sqlite3).
✅ Step 5: Track icons information (icon.db).
✅Step 5: Analyze Dropbox Business logs for enterprise investigations.
We will explore more about Dropbox in the next article(Dropbox Forensic Investigations: Logs, Activity Tracking, and External Sharing) , so stay tuned! See you in the next one.
Comments