DropBox forensics and security


I am looking for some information on how a DropBox Business scenario as below can be investigated if you suspect there was a data breach and needed to investigate it.

Here the situation:

In a company the company directory is getting backed-up, the drives on the employees PC is not getting backed-up.  The  employee has a personal dropbox on his employee PC and saved files from the company directory to the personal dropbox.  If the employee gets kicked out and can’t delete the dropbox on the PC, but instead delinked online the dropbox on the employees PC from his personal dropbox,

1)      Can the company see if the files from the directory were saved on the dropbox or just on the employees PC drive?
2)      Can the company see which files were saved on the PC or on the dropbox (specific files or just if it was a pdf or an excel file)?
3)      Is it possible that the files did not get deleted from the employees PC and the company can see which files were on the personal dropbox?
4)    Last point is that the company did actually see how many files were uploaded to the dropbox.
5)    Does dropbox record when you delete files? I mean is it possible to see later when files were deleted?

Can anyone speak to some of these points in whether it is possible to find these records and how you would do it?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
For (1), (2).

By default, anything you store in your Dropbox is private and accessible only by you. So it is based on the login account type used e.g. personal or work Dropbox on connect option. So assuming user login using the business account, and if you're the admin of a Dropbox for Business account, you can control whether team members can share stuff with people outside the team.

As a whole, other Dropbox users can't see your files in Dropbox unless you deliberately share links to files or share folders. Even if you as admin and if not member of the shared folder, you rightfully cannot see those files explicitly. The owner of the shared file/folder can determine whether other members of the folder are viewers or editors. By default, members added to a shared folder are editors.

Dropbox for Business admins have no control or access to your personal Dropbox. If you've linked your personal Dropbox to a company-owned computer or device, it will be subject to your organization’s policies.

Will everyone on my team have access to my files?

How do I administer sharing for my team?

What roles and permissions can members of a shared folder have?

For (3), (4), (5).

For file in PC and in Dropbox cloud, it depends on the file syncing configured as it can be selectively configured to sync only some folder hence the Cloud will have those but overall the PC should have the everything and the most up to date. Depending on the cloud is just finding traces which may serves as those sync backup configured explicitly. Otherwise, you are not aware to extend by the actual user.

Also not all files are accepted for syncing which there is guidelines from Dropbox. In forensic tmp files are trails for app opening and indicator that user is performing some task but these tmp files are not sync to Cloud. And if the file attributes which is meta data from file will not be retained if it is syncing FAT32 drives in PC to Dropbox

How do I sync files between computers?

Why aren't certain files on one computer syncing to another?

As for the deletion portion, it is as explained in file syncing and file permission granted. Besides that as long as it is not in the file sync folder etc and permission list, the deletion action will not be known in terms of comparing the past presence and the sudden "missing" of files. Making it tougher, Dropbox also does not include a full audit trail of which files were transferred, when and by whom. I know this is is essential for documenting compliance to industry regulations.

May be better to check with Dropbox support if this stands true still..there possible be traces in signs network captures, and logs are commonly found in SQLite databases and flat files. But they may not be significant evidence to trace back activities easily..

Overall, the safeguards is not to over grant privileges to user and guard against insider admin as well in collusion. Here is an summary  sharing (pdf) of further forensic consideration in the area of leakage threats which you can check out if interested to dive deeper to tighten and the various DLP assessments...Note that there is blackhat  sharing in past on the DropSmack (pdf) which can ex-filtrate date unknowing to user assumed they infected the user Dropbox synced folder

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vyyk_DragoAuthor Commented:
Thanks, that helps a lot.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Storage Software

From novice to tech pro — start learning today.