Blog >> OneDrive

Investigating OneDrive

02/07/2021 Friday

OneDrive is a file hosting service that offers cloud storage, file synchronization, personal cloud, and client software. OneDrive brings files together in one place by creating a special folder on the user's computer. The contents of these directories are synchronized to the servers of OneDrive and other computers and systems where OneDrive has been installed by the user, keeping the same files up to date on all devices. OneDrive is available for Microsoft Windows, Apple macOS, and Linux computers, and mobile apps for iOS, Android, and Windows Phone smartphones and tablets.


Digital Forensics Value of OneDrive Artifacts


OneDrive file contains information about files that users uploaded and synced to OneDrive, clod data, and configuration. This information is critical during the forensic analysis process as it helps us understand the types of artifacts that are likely to remain for digital forensics investigators.


Location of OneDrive Artifacts


Windows 8: C:\Users\username\Appdata\Local\Microsoft\OneDrive\logs
Windows 10: C:\Users\username\Appdata\Local\Microsoft\Windows\OneDrive\logs


Structure of OneDrive Artifacts


OneDrive contains information about files that users uploaded and synced to OneDrive. It contains several sub artifacts such as: items, deleted items, recycle bin items, accounts, and downloads.

Within the OneDrive evidence there are four types of files: SyncEngine.odl, TraceCurrent.ETL, TraceArchive.ETL, and SyncDiagnostics.txt.


Analyzing OneDrive Artifacts with ArtiFast Windows


This section will discuss how to use ArtiFast Windows to analyze One Drive artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select OneDrive Artifact:






Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of OneDrive artifact in ArtiFast software.


OneDrive (Win Apps) Accounts Artifact


OneDrive (Win Apps) Downloads Artifact


OneDrive (Win Apps) Deleted Items Artifact


OneDrive (Win Apps) Items Artifact


OneDrive RecycleBin Items Artifact


OneDrive Cloud Metadata Artifact


OneDrive Sync Diagnostics Artifact


OneDrive User Configurations Artifact


OneDrive MountPoint Files Artifact


OneDrive MountPoint Folder Artifact


OneDrive Profile Service Artifact


OneDrive State Artifact