Cloud-based services are one of the biggest trends in IT over the past decade, and file sharing/sync is one of the most popular such applications. These applications are widely used in organizations and companies, sometimes with official sanction and sometimes not. Either way, there are security concerns and implications, including insider data theft, intruder data exfiltration, and accidental over-sharing. To assist with investigating incidents, these client apps leave behind various records of files added, deleted, updated, downloaded, etc.
The talk will cover the forensic artifacts associated with a number of popular file sharing/sync services and what can be determined from them. I will also be demonstrating Unbox, a set of Python scripts to search Windows-based computers for artifacts associated with cloud-based file share/sync services and create a timeline analysis of events associated with these services.