Welcome to a “Part 2” of my last blog post where I announced our new free tool for decrypting the Dropbox filecache.dbx file. The response has been overwhelming and we appreciate all the comments and feedback. We really do have a great digital forensics community.
Please note that IEF Triage has supported decrypting and parsing the filecache.dbx file on a live system since v5.8 which was released in January of this year. No password, Protect folders, or registry information is required, and it works on Windows XP, Vista, as well as Windows 7 and Windows 8. We’ll be incorporating the features from our free tool into IEF Standard in the near future and hopefully with Windows 7/8 support.
Today I wanted to explain some of the fields/data within the decrypted filecache.dbx file. Once decrypted, you’ll have a plaintext SQLite database. There are a few tables but we’ll focus on the most interesting one today, the file_journal table.
Below is a view of the file_journal table, the first items are all default files that everyone gets when they start a Dropbox account. The last record which is highlighted is a file I added named “secrets.txt”:
There are a few useful fields here: server_path (the full path to the file in the cloud, with the user ID prepended), parent_path (the containing folder), local_sjid (the file version number – Dropbox will store older versions of files as previous versions, accessible via the web interface or by right-clicking the file in Windows Explorer and selecting Dropbox -> View Previous Versions), and local_filename (the filename). The following screenshot shows the rest of the fields:
More useful fields here: local_size (the file size), local_mtime (the modified time of the file – in Unix/epoch time, UTC), local_ctime (the created time of the file – in Unix/epoch time, UTC), and some updated_xxxx fields which I have not be able to populate with data. They could display similar info as the previous fields if the files/records have been updated on the Dropbox account.
Interesting note: When I created a new file named “secrets.txt” with new data and overwrote the old secrets.txt file in my Dropbox folder, the database maintained the original created time and updated the modified time (i.e. it did not use the created time of the new file but maintained the original created time).
And that is a quick overview of the data found within the Dropbox filecache.dbx file. Some of the other tables include host ID info and configuration information, including a “last_reindex” time (last sync time) in the config table reindex_info key.
We’ve made a couple changes to the free Dropbox decryptor tool since it first launched last week, it now accepts direct Regedit exports (.reg export file format) for the registry data, works with accounts that have no password, and Protect folders with multiple SIDs.
To download the latest version (v1.1), please click the button below.
// ]]>
And as always, please feel free to let us know what you think and how we can continue to improve IEF and our other products.
Have a great weekend,
Jad and the Magnet Team