Microsoft OneDrive for Business is a powerful enterprise cloud storage solution, distinct from the personal OneDrive available by default on Windows. With Microsoft 365 integration, extensive logging, and advanced security controls, it provides rich forensic opportunities for investigators.
🔹 Why Investigate OneDrive for Business?
✅ Tracks file uploads, downloads, deletions, and modifications
✅ Stores detailed metadata for all synchronized files
✅ Keeps 90 days of Unified Audit Logs (UAL) with granular user activity
✅ Logs file sharing events, including external access
🚀 Let’s dive into forensic artifacts, registry keys, logs, and the powerful Microsoft 365 Unified Audit Log (UAL).
-----------------------------------------------------------------------------------------------------
1️⃣ Identifying OneDrive for Business on a System
Unlike personal OneDrive, OneDrive for Business requires authentication with a Microsoft 365 account. A single system can sync:
✅ One personal OneDrive account
✅ Up to nine OneDrive for Business accounts
📌 Key File Locations for OneDrive for Business
✅ Up to nine OneDrive for Business accounts
Artifact | Location |
Synchronized Files | %UserProfile%\OneDrive - <CompanyName>\ |
Sync Metadata | %UserProfile%\AppData\Local\Microsoft\OneDrive\settings\Business1\SyncEngineDatabase.db |
Sync Logs | %UserProfile%\AppData\Local\Microsoft\OneDrive\logs\Business1\ |
Audit Logs (Cloud-based) | Microsoft 365 Unified Audit Log |
📌 Note: If multiple OneDrive for Business accounts exist, folders and settings will be named Business2, Business3, etc.
----------------------------------------------------------------------------------------------------------
2️⃣ Investigating OneDrive for Business Registry Keys
Forensic investigators must audit registry keys to determine:
✅ The existence of OneDrive for Business accounts
✅ User authentication details (email, last sign-in time, account names)
✅ The actual sync folder location (which may differ from default)
📍 Registry Keys for OneDrive for Business:
NTUSER\Software\Microsoft\OneDrive\Accounts\Business1Value | Description |
UserFolder | Path to OneDrive for Business local storage |
UserEmail | Microsoft 365 account email |
UserName | Name of the user tied to the account |
LastSignInTime | Last authentication timestamp (Unix Epoch) |
ClientFirstSignInTimestamp | Timestamp of first authentication |
SPOResourceID | SharePoint URL linked to OneDrive Business |
📌 Key Insight: SPOResourceID confirms SharePoint integration, as OneDrive for Business leverages SharePoint for storage and sharing.
🔍 Tracking Shared Folders & External Sources:
NTUSER\Software\Microsoft\OneDrive\Accounts\Business1\Tenants
----------------------------------------------------------------------------------------------------------
3️⃣ OneDrive for Business Sync Logs & Metadata Analysis
Investigating OneDrive-Business for Sync Logs & Metadata Analysis is similar to analyzing data in a personal-OneDrive account.
Headline of the article
Advanced OneDrive Forensics: Investigating Cloud-Only Files & Synchronization
Part 3: Of the mentioned above Link/Article
3️⃣ Investigating Cloud-Only Files Using OneDrive Sync Database
----------------------------------------------------------------------------------------------------------
4️⃣ Microsoft 365 Unified Audit Logs (UAL) for OneDrive Business
OneDrive for Business integrates with Microsoft 365 Unified Audit Logs (UAL), providing detailed forensic tracking of user activity for 90 days.
📍 Accessing UAL Logs:
Microsoft 365 Security & Compliance Center
PowerShell (Search-UnifiedAuditLog)
Microsoft Graph API
📌 Key UAL Events for OneDrive Investigations:
Event Name | Description |
FileAccessed | Tracks file views (noisy, consider FileAccessedExtended) |
FileModified | Tracks file edits (use FileModifiedExtended for fewer entries) |
FileDeleted | Tracks file deletions |
FileDeletedFirstStageRecycleBin | Identifies files moved to the OneDrive Recycle Bin |
FileDeletedSecondStageRecycleBin | Identifies permanently deleted files |
FileDownloaded | Tracks files downloaded from OneDrive/SharePoint |
AnonymousLinkCreated | Tracks externally shared files (links sent outside the organization) |
FileSyncUploadedFull | Logs full file uploads |
FileSyncDownloadedFull | Logs full file downloads |
💡 Forensic Use:
Identify suspicious file downloads and deletions.
Track data exfiltration via external sharing (AnonymousLinkCreated).
Correlate file access patterns to suspicious login activity.
----------------------------------------------------------------------------------------------------------
5️⃣ Investigating External File Sharing & Data Exfiltration
Investigating OneDrive-Business for File Sharing & Data Exfiltration is similar to analyzing data in a personal-OneDrive account.
Headline of the article
Advanced OneDrive Forensics: Investigating Cloud-Only Files & Synchronization
Part 5: Of the mentioned above Link/Article
5️⃣ Tracking Shared Files & External Data Sources
----------------------------------------------------------------------------------------------------------
Final Thoughts: OneDrive for Business Forensics is a Goldmine for Investigators
🚀 Next Up: Google Drive for desktop– Investigating Enterprise Cloud Storage Activity 🔍
-------------------------------------------Dean-------------------------------------------------------
Comments