DropBox forensics and security

Posted on 2014-12-02
Medium Priority
Last Modified: 2014-12-02

I am looking for some information on how a DropBox Business scenario as below can be investigated if you suspect there was a data breach and needed to investigate it.

Here the situation:

In a company the company directory is getting backed-up, the drives on the employees PC is not getting backed-up.  The  employee has a personal dropbox on his employee PC and saved files from the company directory to the personal dropbox.  If the employee gets kicked out and can’t delete the dropbox on the PC, but instead delinked online the dropbox on the employees PC from his personal dropbox,

1)      Can the company see if the files from the directory were saved on the dropbox or just on the employees PC drive?
2)      Can the company see which files were saved on the PC or on the dropbox (specific files or just if it was a pdf or an excel file)?
3)      Is it possible that the files did not get deleted from the employees PC and the company can see which files were on the personal dropbox?
4)    Last point is that the company did actually see how many files were uploaded to the dropbox.
5)    Does dropbox record when you delete files? I mean is it possible to see later when files were deleted?

Can anyone speak to some of these points in whether it is possible to find these records and how you would do it?

Question by:Vyyk_Drago
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 64

Accepted Solution

btan earned 2000 total points
ID: 40475746
For (1), (2).

By default, anything you store in your Dropbox is private and accessible only by you. So it is based on the login account type used e.g. personal or work Dropbox on connect option. So assuming user login using the business account, and if you're the admin of a Dropbox for Business account, you can control whether team members can share stuff with people outside the team.

As a whole, other Dropbox users can't see your files in Dropbox unless you deliberately share links to files or share folders. Even if you as admin and if not member of the shared folder, you rightfully cannot see those files explicitly. The owner of the shared file/folder can determine whether other members of the folder are viewers or editors. By default, members added to a shared folder are editors.

Dropbox for Business admins have no control or access to your personal Dropbox. If you've linked your personal Dropbox to a company-owned computer or device, it will be subject to your organization’s policies.

Will everyone on my team have access to my files?

How do I administer sharing for my team?

What roles and permissions can members of a shared folder have?

For (3), (4), (5).

For file in PC and in Dropbox cloud, it depends on the file syncing configured as it can be selectively configured to sync only some folder hence the Cloud will have those but overall the PC should have the everything and the most up to date. Depending on the cloud is just finding traces which may serves as those sync backup configured explicitly. Otherwise, you are not aware to extend by the actual user.

Also not all files are accepted for syncing which there is guidelines from Dropbox. In forensic tmp files are trails for app opening and indicator that user is performing some task but these tmp files are not sync to Cloud. And if the file attributes which is meta data from file will not be retained if it is syncing FAT32 drives in PC to Dropbox

How do I sync files between computers?

Why aren't certain files on one computer syncing to another?

As for the deletion portion, it is as explained in file syncing and file permission granted. Besides that as long as it is not in the file sync folder etc and permission list, the deletion action will not be known in terms of comparing the past presence and the sudden "missing" of files. Making it tougher, Dropbox also does not include a full audit trail of which files were transferred, when and by whom. I know this is is essential for documenting compliance to industry regulations.

May be better to check with Dropbox support if this stands true still..there possible be traces in signs network captures, and logs are commonly found in SQLite databases and flat files. But they may not be significant evidence to trace back activities easily..

Overall, the safeguards is not to over grant privileges to user and guard against insider admin as well in collusion. Here is an summary  sharing (pdf) of further forensic consideration in the area of leakage threats which you can check out if interested to dive deeper to tighten and the various DLP assessments...Note that there is blackhat  sharing in past on the DropSmack (pdf) which can ex-filtrate date unknowing to user assumed they infected the user Dropbox synced folder

Author Closing Comment

ID: 40476244
Thanks, that helps a lot.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many CHPs use the buzzword ‘Cloud Hosting’ to sell the idea of reliability. Most consumers have the opinion that cloud hosting is easily scalable and can handle just about anything. Further, most CHPs are not transparent and hide the underlying arch…
Microsoft will be releasing the Windows 10 Creators Update in just a matter of weeks. Are you prepared? Follow these steps to ensure everything goes smoothly and you don't lose valuable data on your PC.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question