Logo
RSS Feed

⛅️ Cloud Storage


Created: 12.10.2020

Windows

For OneDrive the most useful artifacts are stored locally. If you get access to the account online - may see the deleted items and their versions. C:\Users\%Username%\AppData\Local\Microsoft\OneDrive\logs. This folder contains Personal and Common. Neither has anything of particular interest, but may be an indicator, that the software was used.

⚠️ Business version of OneDrive adds a few lines of code to the start of every doc, thus MD5 hashes will differ.

DropBox is another tool for storing content online and sharing it: C:\Users\%Username%\AppData\Local\Microsoft\Dropbox. The most interesting files are filecache.db (not deleted files and folders, encrypted by default) and sigstore.db (how large the file is). Use 🛠 Magnet Dropbox Decryptor to get the contents of the filecache.db. It also uses config.db containing user email and the most recently changed files. Deleted files are not kept locally. For free accounts they are kept online for 30 days, for pros - forever.

macOS

/Users/%username%/Library/Application Support/iCloud/Account
/Users/%username%/Library/Application Support/CloudDocs/session/db/

AWS

For example, handling a data disclosure incident from an Amazon S3 bucket involves API calls to retrieve the bucket’s policy, analyzing the S3 access logs, and possibly looking at AWS CloudTrail logs. In this example, your investigation is unlikely to involve data forensic tools or network traffic analysis tools.

Logs and Monitors (AWS offers a bunch of services for that) + OS logs + App logs + TI + billing activity + someone noticed + AWS support + Partnet tools.

Security Hub. Centralized logging solution and Amazon Athena to analyse.

https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/cloud-security-incidents.html