DropBox forensics and security

Posted on 2014-12-02
Last Modified: 2014-12-02

I am looking for some information on how a DropBox Business scenario as below can be investigated if you suspect there was a data breach and needed to investigate it.

Here the situation:

In a company the company directory is getting backed-up, the drives on the employees PC is not getting backed-up.  The  employee has a personal dropbox on his employee PC and saved files from the company directory to the personal dropbox.  If the employee gets kicked out and can’t delete the dropbox on the PC, but instead delinked online the dropbox on the employees PC from his personal dropbox,

1)      Can the company see if the files from the directory were saved on the dropbox or just on the employees PC drive?
2)      Can the company see which files were saved on the PC or on the dropbox (specific files or just if it was a pdf or an excel file)?
3)      Is it possible that the files did not get deleted from the employees PC and the company can see which files were on the personal dropbox?
4)    Last point is that the company did actually see how many files were uploaded to the dropbox.
5)    Does dropbox record when you delete files? I mean is it possible to see later when files were deleted?

Can anyone speak to some of these points in whether it is possible to find these records and how you would do it?

Question by:Vyyk_Drago
LVL 61

Accepted Solution

btan earned 500 total points
ID: 40475746
For (1), (2).

By default, anything you store in your Dropbox is private and accessible only by you. So it is based on the login account type used e.g. personal or work Dropbox on connect option. So assuming user login using the business account, and if you're the admin of a Dropbox for Business account, you can control whether team members can share stuff with people outside the team.

As a whole, other Dropbox users can't see your files in Dropbox unless you deliberately share links to files or share folders. Even if you as admin and if not member of the shared folder, you rightfully cannot see those files explicitly. The owner of the shared file/folder can determine whether other members of the folder are viewers or editors. By default, members added to a shared folder are editors.

Dropbox for Business admins have no control or access to your personal Dropbox. If you've linked your personal Dropbox to a company-owned computer or device, it will be subject to your organization’s policies.

Will everyone on my team have access to my files?

How do I administer sharing for my team?

What roles and permissions can members of a shared folder have?

For (3), (4), (5).

For file in PC and in Dropbox cloud, it depends on the file syncing configured as it can be selectively configured to sync only some folder hence the Cloud will have those but overall the PC should have the everything and the most up to date. Depending on the cloud is just finding traces which may serves as those sync backup configured explicitly. Otherwise, you are not aware to extend by the actual user.

Also not all files are accepted for syncing which there is guidelines from Dropbox. In forensic tmp files are trails for app opening and indicator that user is performing some task but these tmp files are not sync to Cloud. And if the file attributes which is meta data from file will not be retained if it is syncing FAT32 drives in PC to Dropbox

How do I sync files between computers?

Why aren't certain files on one computer syncing to another?

As for the deletion portion, it is as explained in file syncing and file permission granted. Besides that as long as it is not in the file sync folder etc and permission list, the deletion action will not be known in terms of comparing the past presence and the sudden "missing" of files. Making it tougher, Dropbox also does not include a full audit trail of which files were transferred, when and by whom. I know this is is essential for documenting compliance to industry regulations.

May be better to check with Dropbox support if this stands true still..there possible be traces in signs network captures, and logs are commonly found in SQLite databases and flat files. But they may not be significant evidence to trace back activities easily..

Overall, the safeguards is not to over grant privileges to user and guard against insider admin as well in collusion. Here is an summary  sharing (pdf) of further forensic consideration in the area of leakage threats which you can check out if interested to dive deeper to tighten and the various DLP assessments...Note that there is blackhat  sharing in past on the DropSmack (pdf) which can ex-filtrate date unknowing to user assumed they infected the user Dropbox synced folder

Author Closing Comment

ID: 40476244
Thanks, that helps a lot.

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
Moving applications to the cloud or switching services to cloud-based ones, is a stressful job.  Here's how you can make it easier.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now