As the world continues to adopt the use of cloud storage and make it a part of everyday use in personal and professional settings, you should be aware of the forensic artifacts and logs available for review. In this article I’ll cover the forensic data you can review for Google Drive.
Google Drive Application
In mid 2021, Google started to roll out “Google Drive for Desktop” which merged the “Backup and Sync” and “File Stream” versions of Google Drive. This has significantly changed the artifacts available for the Google Drive application and I may cover those artifacts in another article.
The artifacts referenced below are related to the “Backup and Sync” Google Drive application, which is still alive and in use. You will likely still run into systems with this version of Google Drive.
Here are the primary artifacts you should look for:
- Sync_config.db
- MacOS Location: \Users\{USERNAME}\Library\Application Support\Google\Drive\user_default\sync_config.db
- Windows: \Users\{USERNAME}\appData\Local\Google\Drive\user_default\sync_config.db
- Snapshot.db
- MacOS Location: \Users\{USERNAME}\Library\Application Support\Google\Drive\user_default\snapshot.db
- Windows: \Users\{USERNAME}\appData\Local\Google\Drive\user_default\snapshot.db
- Sync_log.log
- MacOS Location: \Users\{USERNAME}\Library\Application Support\Google\Drive\user_default\sync_log.log
- Windows: \Users\{USERNAME}\appData\Local\Google\Drive\user_default\sync_log.log
The “sync_config.db” is a SQLite file that gives you information about the connected Google Drive account and the location of the synchronization folder:
The “snapshot.db”is a SQLite file that contains a list of files that Google Drive is aware of and is watching actions for in the synchronization folder. This log includes interesting bits of info like file hashes, names, Google IDs, and timestamps:
The “sync_log.log” is a plain text file that contains loads of information about events that have occurred within Google Drive – including creation, deletion, & modification events. These logs can even tell you if the event occurred on the local machine or if the event happened elsewhere.
Here is an example of one of the logs from the sync_log.log file. You can tell from this example that there is a ton of information about the event and the related file or folder.
These three files can be an incredibly important source of information when conducting Google Drive investigations.
Web Browser History
The next source of information for Google Drive activity on a computer will come from the user’s web history. Google Drive info should be found in the history of any browser that stores history records like Chrome, Safari, or Firefox.
When you access an item or location in Google Drive within a web browser, two key pieces of info are recorded in the web history: the Google Drive URL and the page title.
For example, I am currently drafting this article in Google Docs. The web history of my Chrome browser is going to record the title of this document in the page title, and the unique Google ID for the document in the address bar:
In another example, you can see the folder in Google Drive that I have open via the page title and URL.
The title and Google ID present in the address bar can be used to help identify access to items in Google Drive.
The download history from the browser can also reveal this information. The name of the item will be listed as the downloaded file and the download URL will contain the unique Google ID for that item.
Google Drive Account
In certain cases, you may have access to the Google Drive account in question. In these cases it is appropriate to collect the contents of Google Drive via the Google Takeout service provided by Google.
When collecting data via the Google Takeout process, be sure to enable the additional options in the “advanced settings” menu when selecting Google Drive:
This will give you all document versions and will include a metadata JSON file for each file and folder. The metadata JSON file will include additional characteristics of the item you may find useful.
Google Workspace
If the target Google Drive account exists within a Google Workspace domain, you have access to convenient and robust Google Drive admin logs. These logs show a lengthy history of activity by users with respect to Google Drive files. This requires admin access to the Google Workspace Admin Console, but it is essential to collect these logs for review in a Google Drive investigation.
These logs can contain edit, create, download, & view events that are tied to specific Google Workspace users with timestamps and IP addresses. The activity is related to specific files and folders within Google Drive.
During the investigation, you should access and export these logs as soon as possible as they have retention of 6 months.
Google Drive APIs
The final dataset that you can access takes a bit more skill and effort. This method also requires full access and authentication to the target Google Drive account. Google provides access to data contained within Google Drive via publicly available Application Programming Interfaces (APIs) that anyone can use.
To use these APIs, you need to have some skill in programming with any typical languages such as Python or Javascript. To use these APIs, you basically write code to make HTTP requests to API endpoints defined by Google to retrieve specific kinds of data.
For example, you can collect file and folder metadata and activity data from Google Drive via the Google Drive API and Google Drive Activity API. Using these Google APIs, you can pull metadata that includes timestamps called “viewedByMeTime” and “modifiedByMeTime”. These timestamps provide information about last access history for the authenticated user.
The Activity API will provide logs that illustrate events such as file edits, sharing, and deletion to the trash folder.
You can review Google’s API documentation for these APIs and play around with writing scripts to interact with them. Here are links to the API documentation:
This article was written by Matt Danner of Monolith Forensics. If you’re looking for something to help manage your digital evidence and forensics casework, check out Monolith Forensics at www.monolithforensics.com.
