Determine data leakage via Microsoft OneDrive

technical paper

Microsoft OneDrive is one of the most used cloud storage applications as it is installed by default on every Windows operating system. Microsoft OneDrive is used by both private users and companies to transfer data to the cloud. Therefore, it is very interesting for IT forensics to be able to analyze a cloud application as a possible data source. This article shows what a Microsoft OneDrive analysis can look like and what it is for.

Microsoft OneDrive analysis with Registry Explorer

In the first step, Registry Explorer can be used to check if Microsoft OneDrive is in use by the Windows workstation at all. For this, you need to check the following registry key:

NTUSER\Software\Microsoft\OneDrive\Accounts\Personal

The key contains information about the folder where your files are synced to the cloud, the email address used to sign in to OneDrive, and a timestamp that tells you when you last signed in to Microsoft OneDrive. If there are no entries in the Personal Key, OneDrive has not been used on the system. If there are entries in the key, it can be assumed that the user was using Microsoft OneDrive on the system.

To delve into your analysis, you can examine Microsoft OneDrive configuration files. They are created as soon as Microsoft OneDrive is used by the user on the system.

Analysis of Microsoft OneDrive configuration files

Important configuration files are .dat and SyncDiagnostic.log. Both files can be found at the following path:

%UserProfile%\AppData\Local\Microsoft\OneDrive\settings\Personal

.dat can be used to determine when data was last synced to the OneDrive cloud. In addition to the last synchronization time, the transferred data is also displayed. To have an exact order of magnitude, .dat also shows how big the data is.

.dat shows only files that have recently been synced. To get a historical view of which files have been uploaded, there is a database .dat.previous, which shows files from recent OneDrive cloud syncs.

SyncDiagnostics.log not only points to the file that has been synced with the OneDrive cloud, but also points to the file’s metadata. This means you can read how big the file was, when the file was last changed and when the file was created in Windows. SyncDiagnostics.log advantage over dat is that it not only lists the files that have recently been synced, but also the files that have been synced recently.

Reading configuration files

Configuration files cannot simply be opened, you need special tools to read the files. One of the tools is called bstrings.exe. The tool is from Eric Zimmerman who has already developed several IT investigative tools such as Registry Explorer.

Tool application:

bstring.exe -f  .dat

The tool can be run from the command line. The -f option indicates that only one file is to be processed in subsequent ones. After -f it is specified which configuration file is to be read. In the application example, the file is read .dat. Specify the path where the file is located .dat in the user folder.

As soon as you execute the command, all information contained in .dat will be displayed on the command line. The analysis option shown allows you to quickly identify whether Microsoft OneDrive was used on the system.

Signs of data leakage or illegal private use

In general, it can be said that despite the relative novelty of cloud services, there are opportunities to conduct forensic analysis on them. First of all, various logs provide a reliable source of data. With its help, a forensics computer scientist can identify the following crimes:

Especially when a business secret data leak is suspected, OneDrive analysis can quickly give you confidence because – as shown in the article – under certain circumstances it is possible to identify the attacker’s email address and the date on which the data was transferred from the company. To prevent this from happening in the first place, companies should address this topic in advance of a specific IT security incident and take specific data loss prevention (DLP) protection measures.

Leave a Comment