This version of OneDriveExplorer (ODE) is a major update with quite a few GUI improvements and data processing. The first thing you will notice is ODE now has a breadcrumb viewer for another navigation option. You can now double click the folders in the center pane to open that folder.
The CStructs pane has also been cleaned up for a more consistent look between themes.
Along with GUI updates, there are new data sources that have been added to bring more relevant information to your investigations.
od_GraphMetadata_Records
ODE now includes data from the od_GraphMetadata_Records table. The od_GraphMetadata_Records table resides in the SyncEngineDatabase.db. One of the features of this table is that it stores information on who created and who modified the file last.
od_GraphMetadata_Records also can have information on video/image files such as audio format, bit rate, height and width.
If file policies are applied, ODE can populate them from the od_GraphMetadata_Records table.
od_HydrationData
The od_HydrationData table was added to SyncEngineDatabase.db sinse version 21 of the schema. It records the first time a file is downloaded (hydrated) from the cloud to the device. I preformed some test to see what would cause this table to populate. The following was observed.
First time file is hydrated (opened) if the status is Available when online.
- Does not get removed from the table when Free up space is performed.
- Always keep on this device does not populate the table.
- If status is Always keep on this divice, opening does not populate the table.
The hydration time can be found in the Details pane.
filter_delete_info
The filter_delete_info table resides in the SafeDelete.db. Not entirely sure what causes this table to populate but it appears to be when an application is responsible for deleting files rather than the user just deleting them. One thing to note is the table contains what process was responsible for deleting the file. This information can be found in the Deleted items in ODE.
Another thing that was add, when adding the system recycle bin, ODE combines data points together to eliminate double entries and also indicates which files are still available on the system.
Personal Vault log decryption
Added to ODE is the ability to decode personal vault logs. This gives us more insight on what is happening with the files inside the vault. One thing to note, if the vault is open, ODE can see the files inside. As an example, here is what data we get from the logs without decrypting the personal vault logs. ODE was able to correlate 188 logs to the user's personal vault.
In order to decrypt the vault logs, we need to issue the following command.
OneDrive. exe /outputkeystorevault
What this command does is outputs the vault key to the EncryptionKeyStoreCopy folder.
With the vault.keystore file, ODE can decrypt any of the logs that pertain to the personal vault. ODE now displays 203 correlated logs for the personal vault.
The latest version of OneDriveExplorer can be found here.
No comments:
Post a Comment