FREE Dropbox Forensics Tool

Dropbox Reader is a set of Python scripts for forensic investigators. The scripts provide investigators with information about a particular Dropbox user’s account and activities, such as the registration e-mail, Dropbox identifier and most recently changed files.

Dropbox Reader was created by Cybermarshal, the computer forensics wing of ATC-NY.

Here’s a list and description of the tools from the product website:

  • read_config script outputs the contents of the Dropbox config.db file in human-readable form. This includes the user’s registered e-mail address and Dropbox identifier, software version information, and a list of the most-recently-changed files.
  • read_filecache_config script outputs configuration information from the Dropbox filecache.db file. This includes information about shared directories that are attached to the user’s Dropbox account.
  • read_filejournal script outputs information about Dropbox synchronized files stored in the filecache.db file. This includes local and server-side metadata and a list of block hashes for each Dropbox-synchronized file.
  • read_sigstore script outputs information from the Dropbox sigstore.db file, which is an additional source of block hashes.
  • hash_blocks script produces a block hash list for any file. This block hash list can be compared to the block hashes from read_filejournal or read_sigstore.
  • dropbox_contains_file script hashes one or more files (as per hash_blocks) and compares the resulting block hash list to the files listed in filecache.db (as per read_filejournal) and reports whether the files are partially or exactly the same as any Dropbox-synchronized files.
This entry was written by Zac , posted on Saturday June 25 2011at 12:06 pm , filed under Cloud, Digital Forensics and tagged , , , , , , , . Bookmark the permalink . Post a comment below or leave a trackback: Trackback URL.

Leave a Reply

You must be logged in to post a comment.