DropBox forensics and security

Posted on 2014-12-02
Last Modified: 2014-12-02

I am looking for some information on how a DropBox Business scenario as below can be investigated if you suspect there was a data breach and needed to investigate it.

Here the situation:

In a company the company directory is getting backed-up, the drives on the employees PC is not getting backed-up.  The  employee has a personal dropbox on his employee PC and saved files from the company directory to the personal dropbox.  If the employee gets kicked out and can’t delete the dropbox on the PC, but instead delinked online the dropbox on the employees PC from his personal dropbox,

1)      Can the company see if the files from the directory were saved on the dropbox or just on the employees PC drive?
2)      Can the company see which files were saved on the PC or on the dropbox (specific files or just if it was a pdf or an excel file)?
3)      Is it possible that the files did not get deleted from the employees PC and the company can see which files were on the personal dropbox?
4)    Last point is that the company did actually see how many files were uploaded to the dropbox.
5)    Does dropbox record when you delete files? I mean is it possible to see later when files were deleted?

Can anyone speak to some of these points in whether it is possible to find these records and how you would do it?

Question by:Vyyk_Drago
LVL 62

Accepted Solution

btan earned 500 total points
ID: 40475746
For (1), (2).

By default, anything you store in your Dropbox is private and accessible only by you. So it is based on the login account type used e.g. personal or work Dropbox on connect option. So assuming user login using the business account, and if you're the admin of a Dropbox for Business account, you can control whether team members can share stuff with people outside the team.

As a whole, other Dropbox users can't see your files in Dropbox unless you deliberately share links to files or share folders. Even if you as admin and if not member of the shared folder, you rightfully cannot see those files explicitly. The owner of the shared file/folder can determine whether other members of the folder are viewers or editors. By default, members added to a shared folder are editors.

Dropbox for Business admins have no control or access to your personal Dropbox. If you've linked your personal Dropbox to a company-owned computer or device, it will be subject to your organization’s policies.

Will everyone on my team have access to my files?

How do I administer sharing for my team?

What roles and permissions can members of a shared folder have?

For (3), (4), (5).

For file in PC and in Dropbox cloud, it depends on the file syncing configured as it can be selectively configured to sync only some folder hence the Cloud will have those but overall the PC should have the everything and the most up to date. Depending on the cloud is just finding traces which may serves as those sync backup configured explicitly. Otherwise, you are not aware to extend by the actual user.

Also not all files are accepted for syncing which there is guidelines from Dropbox. In forensic tmp files are trails for app opening and indicator that user is performing some task but these tmp files are not sync to Cloud. And if the file attributes which is meta data from file will not be retained if it is syncing FAT32 drives in PC to Dropbox

How do I sync files between computers?

Why aren't certain files on one computer syncing to another?

As for the deletion portion, it is as explained in file syncing and file permission granted. Besides that as long as it is not in the file sync folder etc and permission list, the deletion action will not be known in terms of comparing the past presence and the sudden "missing" of files. Making it tougher, Dropbox also does not include a full audit trail of which files were transferred, when and by whom. I know this is is essential for documenting compliance to industry regulations.

May be better to check with Dropbox support if this stands true still..there possible be traces in signs network captures, and logs are commonly found in SQLite databases and flat files. But they may not be significant evidence to trace back activities easily..

Overall, the safeguards is not to over grant privileges to user and guard against insider admin as well in collusion. Here is an summary  sharing (pdf) of further forensic consideration in the area of leakage threats which you can check out if interested to dive deeper to tighten and the various DLP assessments...Note that there is blackhat  sharing in past on the DropSmack (pdf) which can ex-filtrate date unknowing to user assumed they infected the user Dropbox synced folder

Author Closing Comment

ID: 40476244
Thanks, that helps a lot.

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Dropbox 3 72
Barracuda Bsckup Server 690 6 80
how to update backup definition in  TSM for an Oracle server. 6 58
Write Caching in the Cloud for VFP9 16 86
Monitoring systems evolution, cloud technology benefits and cloud cost calculators business utility.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now