OneDriveExplorer ODL Parsing Issues

The Issue

Recently, I've been noticing there have been quite a few instances where OneDriveExplorer was unable to parse out some of the ODL logs and in other instances the parameters of the logs are a jumbled mess.

So I tried Yogesh Khatri's OneDrive to see if it was something OneDriveExplore was doing wrong. It generated quite a few "Error in read_string()" and "ERROR writing rows: <class '_csv.Error'> need to escape, but no escapechar set" errors and the same jumbled mess appeared in some of the Params_Decoded field.

Something seems to be amiss.

Finding the issue

There has to be something in the way these tools are handling the data (OneDriveExplore's ODL parsing is based off of Yogesh's work). If we look at Yogesh's blog post, he has laid out nicely the structure of the ODL files.

With this information, I slightly modified OneDriveExplorer to dump out the structures so they could be examined. As it turned out, for some reason, some of the data blocks do not follow this same structure. From the output, I could see the data_len was an absurdly large number, throwing off the parser in both tools.

The fix

I reached out to Yogesh to see if he had noticed any changes with the ODL files. Upon further examination, Yogesh noticed the ODL version had changed along with the structures for the data_block and data had also changed.

With this information, Yogesh and I have updated our tools to parse the ODL files. Running OneDriveExplorer again now shows everything is properly aligned.

Results

Updated parser  = 1,921,804 entries, no errors, parameters parsed properly
Old parser          = 959,819 entries, 15 files could not be read, some parameters jumbled

This ODL version change occurred in v23.180.0828.0001 and later. It might be a good idea to recheck any forensics examinations that have been performed on this version or higher. v23.180.0828.0001 rolled out on 9/01/23 as an insider build so the window is fairly small. The latest release of OneDriveExplorer can be found here.

What's New in OneDriveExplorer

It's been about a year and a half since the initial release of OneDriveExplorer. With this being a major release, I thought I'd write about some of the updates and improvements. I've been working hard in my spare time to add in data as it is discovered and to give the best user experience possible. With that said, lets look at some of the improvements and features with this release.

Updated dat parser

The way OnedDriveExplorer initially would parse information out of the dat file was with regex. With the limited dataset, at the time, this was the best viable option. The problem with this approach is that it made it difficult to reliably extract more data. After analyzing 300+ OneDrive installs, the structures in the data file became better understood. OneDriveExplore is now able to "walk" the dat file from beginning to end without the need for regex making it more reliable and able to extract more data.

SQLite parsing

Although not entirely new, it appears OneDrive is moving away from the proprietary dat file to SQLite. OneDriveExplorer is able to parse these new SQLite files and there have already been instances where the dat file has been removed from the settings folder. So rest assure, OneDriveExplorer has your back.

Updated GUI and Status Column

The GUI now has a three pane view, much like Windows File Explorer. The left pane features a folder navigation view. The center pane shows files and folders in the selected folder along with the status, date modified and file size. The right pane gives you more details about the file or folder selected. A thing to note about the status column. There may be times a number appears in the column. This is the status number form the raw data. If visible, the status meaning is not entirely understood.

Another slight change is the search function. Instead of highlighting the matches found, they are now populated in the center pane.

The latest release of OneDriveExplorer can be found here.