DropBox forensics and security

Posted on 2014-12-02
Last Modified: 2014-12-02

I am looking for some information on how a DropBox Business scenario as below can be investigated if you suspect there was a data breach and needed to investigate it.

Here the situation:

In a company the company directory is getting backed-up, the drives on the employees PC is not getting backed-up.  The  employee has a personal dropbox on his employee PC and saved files from the company directory to the personal dropbox.  If the employee gets kicked out and can’t delete the dropbox on the PC, but instead delinked online the dropbox on the employees PC from his personal dropbox,

1)      Can the company see if the files from the directory were saved on the dropbox or just on the employees PC drive?
2)      Can the company see which files were saved on the PC or on the dropbox (specific files or just if it was a pdf or an excel file)?
3)      Is it possible that the files did not get deleted from the employees PC and the company can see which files were on the personal dropbox?
4)    Last point is that the company did actually see how many files were uploaded to the dropbox.
5)    Does dropbox record when you delete files? I mean is it possible to see later when files were deleted?

Can anyone speak to some of these points in whether it is possible to find these records and how you would do it?

Question by:Vyyk_Drago
LVL 63

Accepted Solution

btan earned 500 total points
ID: 40475746
For (1), (2).

By default, anything you store in your Dropbox is private and accessible only by you. So it is based on the login account type used e.g. personal or work Dropbox on connect option. So assuming user login using the business account, and if you're the admin of a Dropbox for Business account, you can control whether team members can share stuff with people outside the team.

As a whole, other Dropbox users can't see your files in Dropbox unless you deliberately share links to files or share folders. Even if you as admin and if not member of the shared folder, you rightfully cannot see those files explicitly. The owner of the shared file/folder can determine whether other members of the folder are viewers or editors. By default, members added to a shared folder are editors.

Dropbox for Business admins have no control or access to your personal Dropbox. If you've linked your personal Dropbox to a company-owned computer or device, it will be subject to your organization’s policies.

Will everyone on my team have access to my files?

How do I administer sharing for my team?

What roles and permissions can members of a shared folder have?

For (3), (4), (5).

For file in PC and in Dropbox cloud, it depends on the file syncing configured as it can be selectively configured to sync only some folder hence the Cloud will have those but overall the PC should have the everything and the most up to date. Depending on the cloud is just finding traces which may serves as those sync backup configured explicitly. Otherwise, you are not aware to extend by the actual user.

Also not all files are accepted for syncing which there is guidelines from Dropbox. In forensic tmp files are trails for app opening and indicator that user is performing some task but these tmp files are not sync to Cloud. And if the file attributes which is meta data from file will not be retained if it is syncing FAT32 drives in PC to Dropbox

How do I sync files between computers?

Why aren't certain files on one computer syncing to another?

As for the deletion portion, it is as explained in file syncing and file permission granted. Besides that as long as it is not in the file sync folder etc and permission list, the deletion action will not be known in terms of comparing the past presence and the sudden "missing" of files. Making it tougher, Dropbox also does not include a full audit trail of which files were transferred, when and by whom. I know this is is essential for documenting compliance to industry regulations.

May be better to check with Dropbox support if this stands true still..there possible be traces in signs network captures, and logs are commonly found in SQLite databases and flat files. But they may not be significant evidence to trace back activities easily..

Overall, the safeguards is not to over grant privileges to user and guard against insider admin as well in collusion. Here is an summary  sharing (pdf) of further forensic consideration in the area of leakage threats which you can check out if interested to dive deeper to tighten and the various DLP assessments...Note that there is blackhat  sharing in past on the DropSmack (pdf) which can ex-filtrate date unknowing to user assumed they infected the user Dropbox synced folder

Author Closing Comment

ID: 40476244
Thanks, that helps a lot.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There is no doubt that cloud is gaining importance. Many of you must have read about this technology and its growing importance. More and more organisations are embracing this technology not forgetting start-ups. The process begins by dipping …
Learn how the use of a bunch of disparate tools requiring a lot of manual attention led to a series of unfortunate backup events for one company.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question