Google Drive is one of the most widely used cloud storage services, integrated seamlessly with Gmail, Google Workspace (G Suite), and Android devices. With over one billion users, it presents unique forensic challenges due to its virtual filesystem, cloud-only storage model, and metadata structures.
-------------------------------------------------------------------------------------------------------------
1️⃣ Understanding Google Drive for Desktop
The Google Drive for Desktop application (previously called Google File Stream) operates as a virtual FAT32 filesystem, appearing as a separate drive letter (e.g., G:\ or H:\).
🔹 Key Forensic Challenges
✅ Cloud-Only Files: Many files exist only in the cloud and never touch local storage.
✅ Virtual Drive: The mounted Google Drive folder disappears after logout, making live acquisition critical.
✅ Unique Metadata: File information is stored in SQLite databases and protocol buffer (protobuf) formats.
-------------------------------------------------------------------------------------------------------------
2️⃣ Identifying Google Drive Activity on a System
📌 Key File Locations for Google Drive Artifacts
Artifact | Location |
Google Drive Local Storage | %UserProfile%\Google Drive\ (if offline sync is enabled) |
Metadata Database | %UserProfile%\AppData\Local\Google\DriveFS\<account ID>\metadata_sqlite_db |
File Cache (Locally Stored Files) We can use this folder to recover original files stored in the cloud
| %UserProfile%\AppData\Local\Google\DriveFS\<account ID>\content_cache\ |
Registry Keys*****(Tracking the Mounter drive letter)**** | NTUSER\Software\Google\DriveFS\Share |
Google Workspace Cloud Logs | Google Workspace Admin Reports (for business users) |
📌 Note: The <account ID> folder is unique for each Google Drive account and corresponds to Google Chrome profile IDs.
-------------------------------------------------------------------------------------------------------------
3️⃣ Investigating Google Drive Registry Keys
Registry keys help confirm if Google Drive was installed, used, and what drive letter was assigned.
📍 Registry Key for Google Drive for Desktop:
NTUSER\Software\Google\DriveFS\ShareValue | Description |
SyncTargets | Tracks assigned drive letter and Google account ID (hex format) |
MountPoint (Older Versions) | Path where Google Drive was mounted on older File Stream versions |
💡 Forensic Use:
Identify if Google Drive was installed and used.
Determine the drive letter Google Drive was mapped to.
Cross-reference with Windows shell items, RecentDocs, and prefetch files to track activity.
-------------------------------------------------------------------------------------------------------------
4️⃣ Metadata & File Forensics in Google Drive for Desktop
The primary forensic database for Google Drive is stored in SQLite format and contains file details, ownership metadata, timestamps, and deletion status.
📍 Metadata Database Location:
%UserProfile%\AppData\Local\Google\DriveFS\<account ID>\metadata_sqlite_db
📌 Database Tables of Interest
🔹 Table: items (Tracks Google Drive Files & Folders)
Column | Description |
stable_id | Unique file identifier |
id | Cloud file identifier (can be cross-referenced with Google Drive URLs & audit logs) |
trashed | Indicates ****if file is in Google Drive Trash (1 = Yes) |
is_owner | Shows if the user owns the file (1 = Yes) |
is_folder | Differentiates between files (0) and folders (1) |
local_title | Actual file name |
file_size | Size of the file in bytes |
modified_date | Last modified time (Unix Epoch format) |
viewed_by_me_date | Last time user interacted with file |
shared_with_me_date | Indicates if file was shared (1 = Yes) |
proto | Binary data containing MD5 file hash (stored in protocol buffer format) |
📌 Forensic Use:
✅ Identify files that were deleted (trashed = 1).
✅ Correlate viewed_by_me_date with user activity to determine last access.
✅ Recover shared files & owners from shared_with_me_date.
✅ Extract MD5 hashes from proto column to match files with known malware databases.
-------------------------------------------------------------------------------------------------------------
5️⃣ Investigating Cached Files & Deleted Data
Google Drive maintains locally cached files in the following location:
📍 Cache Folder:
%UserProfile%\AppData\Local\Google\DriveFS\<account ID>\content_cache\
These temporary files may persist even after deletion from the cloud.
If a file was opened but not saved, it might still exist in cache.
Cached files lack original filenames but can be matched via metadata.
🔹 Table: item_properties (Tracks Cached & Deleted Files)
These Below are all keys which u can search in Key folder
Column | Description |
pinned | Indicates if file was stored offline (1 = Yes) |
trashed_locally | |
trashed_locally_name | Original name of locally deleted file (found in $Recycle.Bin) |
content-entry | Confirms if file is locally cached file |
drivefs.Zone.Identifier | Provides file origin details (useful for identifying downloads) |
version-counter | Tracks file modifications & revisions |
Modified-date | Modification time of the file reported from the local filesystem |
Local-title | Name of file or folder |
📌 Forensic Use:
✅ Recover files that were deleted but still present in cache.
✅ Identify files that were deleted locally but still exist in Google Drive Trash.
✅ Determine if files were downloaded from external sources (drivefs.Zone.Identifier).
🔍 Tools for Parsing Google Drive Databases:
DB Browser for SQLite
protobuf-decoder
Google Drive API
-------------------------------------------------------------------------------------------------------------
6️⃣ Investigating Google Drive Cloud Logs (Google Workspace Only)
For Google Workspace (G Suite) users, cloud logs provide detailed file access records, including:
✅ Uploads, downloads, file deletions, and sharing events
✅ User email, IP address, timestamps, and file actions
✅ Cross-referencing file IDs with forensic artifacts
📍 Google Workspace Audit Log Location:
Google Workspace Admin Console → Reports → Audit → Drive Audit Log📌 Key Audit Events:
Event Name | Description |
File Edited | Logs file modifications |
File Deleted | Tracks deleted files (even if removed from Trash) |
File Downloaded | Identifies files copied to another device |
File Uploaded | Captures new files added to Google Drive |
File Shared | Tracks when files are shared externally |
File Unshared | Logs when shared access is removed |
💡 Forensic Use:
Identify stolen data by tracking downloads and external shares.
Recover deleted file information using file IDs from forensic artifacts.
Monitor insider threats by analyzing suspicious access patterns.
-------------------------------------------------------------------------------------------------------------
7️⃣ Forensic Workflow: Investigating Google Drive for Desktop
🔹 Step 1: Identify Google Drive Usage on the System
Check registry keys (NTUSER\Software\Google\DriveFS\Share).
Identify Google Drive mount point & assigned drive letter.
🔹 Step 2: Extract Metadata & File Listings
Parse metadata_sqlite_db to list all Google Drive files, including cloud-only files.
Check item_properties for cached & deleted files.
🔹 Step 3: Recover Locally Stored or Deleted Files
Extract locally cached files from content_cache.
Look for deleted files in $Recycle.Bin and Google Drive Trash.
🔹 Step 4: Investigate External Sharing & Data Exfiltration
Cross-reference file IDs with Google Workspace Admin logs.
Track file downloads & sharing events to detect data leaks.
🔹 Step 5: Correlate with Other Forensic Artifacts
Compare Google Drive activity with browser history, Windows Event Logs, and Prefetch data.
Look for unauthorized access from unusual IP addresses.
-------------------------------------------------------------------------------------------------------------
We will explore more about Google Drive in the next article( Decoding Google Drive’s Protocol Buffers and Investigating Cached Files) , so stay tuned! See you in the next one.
----------------------------------------------Dean------------------------------------------
Commentaires