digital forensics

Performing Cloud Storage Forensic Acquisition

Perform forensic acquisition and analysis of cloud storage services including Google Drive, OneDrive, Dropbox, and Box by collecting both API-based remote data and local sync client artifacts from endpoint devices.

api-forensicsboxcloud-acquisitioncloud-forensicsdropboxendpoint-artifactsgoogle-drivemagnet-axiom
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

Cloud storage forensic acquisition involves collecting digital evidence from services like Google Drive, OneDrive, Dropbox, and Box through both API-based remote acquisition and local endpoint artifact analysis. Modern investigations must address the challenge that cloud-synced files may exist in multiple states: locally synchronized, cloud-only (on-demand), cached, and deleted. Endpoint devices that have synchronized with cloud storage contain a wealth of metadata about locally synced files, files present only in the cloud, and even deleted items recoverable from cache folders. API-based acquisition using service-specific APIs provides direct access to remote data with valid credentials and proper legal authorization.

When to Use

  • When conducting security assessments that involve performing cloud storage forensic acquisition
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing

Prerequisites

  • Legal authorization (warrant, consent, or corporate policy) for cloud data access
  • Valid user credentials or administrative access tokens
  • Magnet AXIOM Cloud, Cellebrite Cloud Analyzer, or equivalent tool
  • KAPE with cloud storage target files
  • Python 3.8+ with google-api-python-client, msal, dropbox SDK
  • Network connectivity for API-based acquisition

Acquisition Methods

Method 1: API-Based Remote Acquisition

Google Drive API Acquisition

from google.oauth2.credentials import Credentials
from googleapiclient.discovery import build
from googleapiclient.http import MediaIoBaseDownload
import io
import os
import json
from datetime import datetime
 
 
class GoogleDriveForensicAcquisition:
    """Forensically acquire files and metadata from Google Drive via API."""
 
    def __init__(self, credentials_path: str, output_dir: str):
        self.creds = Credentials.from_authorized_user_file(credentials_path)
        self.service = build("drive", "v3", credentials=self.creds)
        self.output_dir = output_dir
        os.makedirs(output_dir, exist_ok=True)
        self.acquisition_log = []
 
    def list_all_files(self, include_trashed: bool = True) -> list:
        """List all files including trashed items."""
        files = []
        page_token = None
        query = "" if include_trashed else "trashed = false"
 
        while True:
            results = self.service.files().list(
                q=query,
                pageSize=1000,
                fields="nextPageToken, files(id, name, mimeType, size, "
                       "createdTime, modifiedTime, trashed, trashedTime, "
                       "owners, sharingUser, permissions, md5Checksum, "
                       "parents, webViewLink, driveId)",
                pageToken=page_token
            ).execute()
 
            files.extend(results.get("files", []))
            page_token = results.get("nextPageToken")
            if not page_token:
                break
 
        return files
 
    def download_file(self, file_id: str, file_name: str, mime_type: str) -> str:
        """Download a file from Google Drive preserving forensic integrity."""
        output_path = os.path.join(self.output_dir, file_name)
 
        if mime_type.startswith("application/vnd.google-apps"):
            export_formats = {
                "application/vnd.google-apps.document": "application/pdf",
                "application/vnd.google-apps.spreadsheet": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
                "application/vnd.google-apps.presentation": "application/pdf",
            }
            export_mime = export_formats.get(mime_type, "application/pdf")
            request = self.service.files().export_media(fileId=file_id, mimeType=export_mime)
        else:
            request = self.service.files().get_media(fileId=file_id)
 
        with io.FileIO(output_path, "wb") as fh:
            downloader = MediaIoBaseDownload(fh, request)
            done = False
            while not done:
                _, done = downloader.next_chunk()
 
        self.acquisition_log.append({
            "timestamp": datetime.utcnow().isoformat(),
            "file_id": file_id,
            "file_name": file_name,
            "output_path": output_path,
            "action": "downloaded"
        })
        return output_path
 
    def get_activity_log(self, file_id: str) -> list:
        """Retrieve activity/revision history for a specific file."""
        revisions = self.service.revisions().list(
            fileId=file_id,
            fields="revisions(id, modifiedTime, lastModifyingUser, size, md5Checksum)"
        ).execute()
        return revisions.get("revisions", [])
 
    def export_acquisition_report(self) -> str:
        """Export acquisition log for chain of custody documentation."""
        report_path = os.path.join(self.output_dir, "acquisition_log.json")
        with open(report_path, "w") as f:
            json.dump({
                "acquisition_start": self.acquisition_log[0]["timestamp"] if self.acquisition_log else None,
                "acquisition_end": datetime.utcnow().isoformat(),
                "total_files": len(self.acquisition_log),
                "entries": self.acquisition_log
            }, f, indent=2)
        return report_path

OneDrive / Microsoft 365 API Acquisition

import msal
import requests
import os
import json
from datetime import datetime
 
 
class OneDriveForensicAcquisition:
    """Forensically acquire files and metadata from OneDrive via Microsoft Graph API."""
 
    def __init__(self, client_id: str, tenant_id: str, client_secret: str, output_dir: str):
        self.output_dir = output_dir
        os.makedirs(output_dir, exist_ok=True)
 
        authority = f"https://login.microsoftonline.com/{tenant_id}"
        self.app = msal.ConfidentialClientApplication(
            client_id, authority=authority, client_credential=client_secret
        )
        token_result = self.app.acquire_token_for_client(
            scopes=["https://graph.microsoft.com/.default"]
        )
        self.access_token = token_result.get("access_token")
        self.headers = {"Authorization": f"Bearer {self.access_token}"}
        self.base_url = "https://graph.microsoft.com/v1.0"
 
    def list_user_files(self, user_id: str) -> list:
        """List all files in user's OneDrive."""
        url = f"{self.base_url}/users/{user_id}/drive/root/children"
        files = []
        while url:
            response = requests.get(url, headers=self.headers)
            data = response.json()
            files.extend(data.get("value", []))
            url = data.get("@odata.nextLink")
        return files
 
    def download_file(self, user_id: str, item_id: str, filename: str) -> str:
        """Download a file from OneDrive."""
        url = f"{self.base_url}/users/{user_id}/drive/items/{item_id}/content"
        response = requests.get(url, headers=self.headers, stream=True)
        output_path = os.path.join(self.output_dir, filename)
        with open(output_path, "wb") as f:
            for chunk in response.iter_content(chunk_size=8192):
                f.write(chunk)
        return output_path
 
    def get_deleted_items(self, user_id: str) -> list:
        """Retrieve items from OneDrive recycle bin."""
        url = f"{self.base_url}/users/{user_id}/drive/special/recyclebin/children"
        response = requests.get(url, headers=self.headers)
        return response.json().get("value", [])

Method 2: Local Endpoint Artifact Collection

KAPE Targets for Cloud Storage

# Collect all cloud storage artifacts using KAPE
kape.exe --tsource C: --tdest C:\Output\CloudArtifacts --target GoogleDrive,OneDrive,Dropbox,Box
 
# OneDrive artifacts
# %USERPROFILE%\AppData\Local\Microsoft\OneDrive\logs\
# %USERPROFILE%\AppData\Local\Microsoft\OneDrive\settings\
# %USERPROFILE%\OneDrive\
 
# Google Drive artifacts
# %USERPROFILE%\AppData\Local\Google\DriveFS\
# Contains metadata SQLite databases and cached files
 
# Dropbox artifacts
# %USERPROFILE%\AppData\Local\Dropbox\
# %USERPROFILE%\Dropbox\.dropbox.cache\
# Contains filecache.dbx (encrypted SQLite), host.dbx, config.dbx

OneDrive Local Database Analysis

import sqlite3
import os
 
def analyze_onedrive_sync_engine(db_path: str) -> list:
    """Analyze OneDrive SyncEngineDatabase for file metadata."""
    conn = sqlite3.connect(db_path)
    cursor = conn.cursor()
 
    # Query for all tracked files including cloud-only items
    cursor.execute("""
        SELECT fileName, fileSize, lastChange,
               resourceID, parentResourceID, eTag
        FROM od_ClientFile_Records
        ORDER BY lastChange DESC
    """)
 
    files = []
    for row in cursor.fetchall():
        files.append({
            "filename": row[0],
            "size": row[1],
            "last_change": row[2],
            "resource_id": row[3],
            "parent_id": row[4],
            "etag": row[5]
        })
 
    conn.close()
    return files

Cloud Storage Artifacts Summary

Service Local Database Cache Location Log Files
OneDrive SyncEngineDatabase.db %LOCALAPPDATA%\Microsoft\OneDrive\cache\ %LOCALAPPDATA%\Microsoft\OneDrive\logs\
Google Drive metadata_sqlite_db %LOCALAPPDATA%\Google\DriveFS{account}\content_cache\ %LOCALAPPDATA%\Google\DriveFS\Logs\
Dropbox filecache.dbx (encrypted) %APPDATA%\Dropbox.dropbox.cache\ %APPDATA%\Dropbox\logs\
Box sync_db %LOCALAPPDATA%\Box\Box\cache\ %LOCALAPPDATA%\Box\Box\logs\

References

Example Output

$ python3 cloud_forensic_acquire.py --provider google-drive --auth /tokens/gdrive_token.json \
    --user jsmith@corporate.com --output /acquisition/gdrive
 
Cloud Storage Forensic Acquisition Tool v3.2
==============================================
Provider:    Google Drive
Account:     jsmith@corporate.com
Start Time:  2024-01-19 08:00:15 UTC
Auth Method: Admin SDK (domain-wide delegation)
 
[+] Enumerating files...
    Total files:        2,345
    Total folders:      178
    Shared with me:     456
    Trashed items:      89 (included in acquisition)
    Total size:         14.7 GB
 
[+] Acquiring file contents...
    Downloaded:    2,345 / 2,345  [████████████████████████████████] 100%
    Errors:        0
    Elapsed:       18m 32s
 
[+] Acquiring metadata...
    File metadata:      2,345 entries
    Revision history:   8,912 revisions across 1,234 files
    Sharing permissions: 3,456 permission entries
    Activity log:       12,345 events
 
[+] Acquiring trashed items...
    Recovered:     89 / 89 items (234 MB)
 
--- Acquisition Log ---
Timestamp (UTC)          | Action           | File                                    | Size    | SHA-256
2024-01-19 08:00:45      | Downloaded       | /My Drive/Finance/Q4_Report.xlsm        | 245 KB  | 7a3b8c9d...
2024-01-19 08:00:46      | Downloaded       | /My Drive/Finance/Budget_2024.xlsx       | 1.2 MB  | 8b4c9d0e...
...
2024-01-19 08:02:12      | Trash-Recovered  | /Trash/employee_list_full.csv            | 4.5 MB  | 9c5d0e1f...
2024-01-19 08:02:13      | Trash-Recovered  | /Trash/network_diagram_v3.vsdx          | 2.1 MB  | 0d6e1f2a...
2024-01-19 08:02:14      | Trash-Recovered  | /Trash/credentials_backup.kdbx          | 128 KB  | 1e7f2a3b...
 
--- Sharing Analysis ---
Files Shared Externally:
  /My Drive/Finance/Q4_Report.xlsm     → j.smith.personal8842@protonmail.com (2024-01-16 03:10 UTC)
  /My Drive/HR/employee_list_full.csv   → j.smith.personal8842@protonmail.com (2024-01-16 03:12 UTC)
  /My Drive/IT/network_diagram_v3.vsdx  → anonymous (link sharing, 2024-01-16 03:15 UTC)
 
--- Revision History (Suspicious) ---
File: /My Drive/Finance/Q4_Report.xlsm
  Rev 1:  2024-01-10 09:00:00 UTC  (245 KB)  - Original
  Rev 2:  2024-01-15 14:35:00 UTC  (248 KB)  - Modified (macro added)
  Rev 3:  2024-01-16 03:05:00 UTC  (245 KB)  - Reverted (macro removed - anti-forensics)
 
Acquisition Summary:
  Files acquired:       2,345 (14.7 GB)
  Trashed items:        89 (234 MB)
  Revisions:            8,912
  Chain of custody hash (full archive):
    SHA-256: a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
  Output directory:     /acquisition/gdrive/
  Acquisition log:      /acquisition/gdrive/acquisition_log.csv
  Completion Time:      2024-01-19 08:18:47 UTC
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md6.0 KB

API Reference: Cloud Storage Forensic Acquisition

Libraries Used

Library Purpose
boto3 AWS S3 object listing, download, and versioning
json Parse object metadata and access logs
hashlib Generate SHA-256 hashes for evidence integrity
datetime Filter objects by time range for incident scope

Installation

pip install boto3

Authentication

import boto3
import os
 
session = boto3.Session(
    aws_access_key_id=os.environ.get("AWS_ACCESS_KEY_ID"),
    aws_secret_access_key=os.environ.get("AWS_SECRET_ACCESS_KEY"),
    region_name=os.environ.get("AWS_REGION", "us-east-1"),
)
 
s3 = session.client("s3")

AWS S3 Forensic Operations

List All Object Versions (Including Deleted)

def list_all_versions(bucket, prefix=""):
    """List all object versions including delete markers for forensic timeline."""
    paginator = s3.get_paginator("list_object_versions")
    versions = []
    for page in paginator.paginate(Bucket=bucket, Prefix=prefix):
        for v in page.get("Versions", []):
            versions.append({
                "key": v["Key"],
                "version_id": v["VersionId"],
                "last_modified": v["LastModified"].isoformat(),
                "size": v["Size"],
                "is_latest": v["IsLatest"],
                "etag": v["ETag"],
            })
        for dm in page.get("DeleteMarkers", []):
            versions.append({
                "key": dm["Key"],
                "version_id": dm["VersionId"],
                "last_modified": dm["LastModified"].isoformat(),
                "is_delete_marker": True,
                "is_latest": dm["IsLatest"],
            })
    return sorted(versions, key=lambda v: v["last_modified"])

Download Object with Integrity Verification

import hashlib
 
def forensic_download(bucket, key, output_path, version_id=None):
    """Download an S3 object and compute SHA-256 hash for chain of custody."""
    params = {"Bucket": bucket, "Key": key}
    if version_id:
        params["VersionId"] = version_id
 
    resp = s3.get_object(**params)
    sha256 = hashlib.sha256()
 
    with open(output_path, "wb") as f:
        for chunk in resp["Body"].iter_chunks(chunk_size=8192):
            f.write(chunk)
            sha256.update(chunk)
 
    return {
        "key": key,
        "version_id": version_id,
        "output_path": output_path,
        "sha256": sha256.hexdigest(),
        "content_type": resp.get("ContentType"),
        "last_modified": resp["LastModified"].isoformat(),
        "metadata": resp.get("Metadata", {}),
    }

Recover Deleted Objects

def recover_deleted_objects(bucket, prefix=""):
    """Find and restore objects with delete markers."""
    recovered = []
    paginator = s3.get_paginator("list_object_versions")
    for page in paginator.paginate(Bucket=bucket, Prefix=prefix):
        for dm in page.get("DeleteMarkers", []):
            if dm["IsLatest"]:
                # Remove delete marker to restore the object
                s3.delete_object(
                    Bucket=bucket,
                    Key=dm["Key"],
                    VersionId=dm["VersionId"],
                )
                recovered.append({
                    "key": dm["Key"],
                    "delete_marker_removed": dm["VersionId"],
                })
    return recovered

Get S3 Access Logs for Incident Timeline

def get_access_logs(log_bucket, prefix, start_time, end_time):
    """Parse S3 access logs to build forensic timeline."""
    paginator = s3.get_paginator("list_objects_v2")
    log_entries = []
    for page in paginator.paginate(Bucket=log_bucket, Prefix=prefix):
        for obj in page.get("Contents", []):
            if start_time <= obj["LastModified"].isoformat() <= end_time:
                resp = s3.get_object(Bucket=log_bucket, Key=obj["Key"])
                content = resp["Body"].read().decode("utf-8")
                for line in content.strip().split("\n"):
                    log_entries.append(line)
    return log_entries

Acquire Bucket Metadata

def acquire_bucket_metadata(bucket):
    """Collect all bucket configuration for forensic evidence."""
    metadata = {"bucket": bucket}
 
    metadata["versioning"] = s3.get_bucket_versioning(Bucket=bucket)
    metadata["encryption"] = s3.get_bucket_encryption(Bucket=bucket).get(
        "ServerSideEncryptionConfiguration", {}
    )
    try:
        metadata["logging"] = s3.get_bucket_logging(Bucket=bucket).get("LoggingEnabled", {})
    except Exception:
        metadata["logging"] = None
    try:
        metadata["lifecycle"] = s3.get_bucket_lifecycle_configuration(Bucket=bucket).get("Rules", [])
    except Exception:
        metadata["lifecycle"] = []
    try:
        metadata["policy"] = json.loads(s3.get_bucket_policy(Bucket=bucket)["Policy"])
    except Exception:
        metadata["policy"] = None
 
    return metadata

Evidence Chain of Custody

import json
from datetime import datetime, timezone
 
def create_chain_of_custody(evidence_items):
    """Generate a chain-of-custody record for acquired evidence."""
    record = {
        "acquisition_time": datetime.now(timezone.utc).isoformat(),
        "examiner": os.environ.get("EXAMINER_NAME", "automated"),
        "case_id": os.environ.get("CASE_ID", "unknown"),
        "items": [],
    }
    for item in evidence_items:
        record["items"].append({
            "source": f"s3://{item['bucket']}/{item['key']}",
            "local_path": item["output_path"],
            "sha256": item["sha256"],
            "acquired_at": datetime.now(timezone.utc).isoformat(),
        })
    return record

Output Format

{
  "bucket": "incident-bucket",
  "acquisition_time": "2025-01-15T10:30:00Z",
  "total_objects": 1542,
  "total_versions": 3891,
  "deleted_objects_recovered": 23,
  "evidence_items": [
    {
      "key": "sensitive/data.csv",
      "version_id": "abc123",
      "sha256": "a1b2c3d4e5f6...",
      "last_modified": "2025-01-14T08:00:00Z"
    }
  ]
}
standards.md0.8 KB

Standards - Cloud Storage Forensic Acquisition

Standards

  • NIST SP 800-86: Guide to Integrating Forensic Techniques
  • ISO/IEC 27037: Digital Evidence Collection
  • NIST Cloud Computing Forensic Science Challenges (NISTIR 8006)
  • CSA Cloud Forensics Capability Implementation Guide

Tools

  • Magnet AXIOM Cloud: Commercial multi-cloud acquisition
  • Cellebrite Cloud Analyzer: SaaS evidence collection
  • kumodd: Open-source proof-of-concept cloud acquisition tool
  • KAPE: Endpoint-based cloud artifact collection

API References

workflows.md0.8 KB

Workflows - Cloud Storage Forensic Acquisition

Workflow 1: API-Based Remote Acquisition

Obtain legal authorization and credentials
    |
Authenticate via service API (OAuth2 / app credentials)
    |
Enumerate all files including shared and trashed items
    |
Download file contents preserving metadata
    |
Collect revision history and activity logs
    |
Hash all acquired files (SHA-256)
    |
Generate acquisition log with timestamps

Workflow 2: Endpoint Artifact Collection

Identify cloud sync client installations
    |
Collect local sync databases (KAPE cloud targets)
    |
Parse sync engine databases (OneDrive, GDrive, Dropbox)
    |
Identify cloud-only files from metadata
    |
Recover cached and deleted files from local storage
    |
Correlate local artifacts with API-acquired data

Scripts 2

agent.py10.5 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Cloud storage forensic acquisition agent.

Acquires forensic copies of cloud storage objects from AWS S3, Azure Blob
Storage, and GCP Cloud Storage with integrity verification using SHA-256
hashes, metadata preservation, and chain-of-custody logging.
"""
import argparse
import hashlib
import json
import os
import sys
from datetime import datetime, timezone

try:
    import boto3
    from botocore.exceptions import ClientError
    HAS_BOTO3 = True
except ImportError:
    HAS_BOTO3 = False


def acquire_s3_objects(bucket, prefix="", output_dir=".", profile=None, region=None):
    """Acquire S3 objects with forensic integrity verification."""
    if not HAS_BOTO3:
        print("[!] boto3 required: pip install boto3", file=sys.stderr)
        sys.exit(1)

    kwargs = {}
    if profile:
        kwargs["profile_name"] = profile
    if region:
        kwargs["region_name"] = region
    session = boto3.Session(**kwargs)
    s3 = session.client("s3")

    print(f"[*] Acquiring objects from s3://{bucket}/{prefix}")
    evidence_log = []

    # List objects
    paginator = s3.get_paginator("list_objects_v2")
    pages = paginator.paginate(Bucket=bucket, Prefix=prefix)

    total_objects = 0
    total_bytes = 0

    for page in pages:
        for obj in page.get("Contents", []):
            key = obj["Key"]
            size = obj["Size"]
            if key.endswith("/"):
                continue

            total_objects += 1
            local_path = os.path.join(output_dir, key.replace("/", os.sep))
            os.makedirs(os.path.dirname(local_path), exist_ok=True)

            # Get object metadata
            try:
                head = s3.head_object(Bucket=bucket, Key=key)
                metadata = {
                    "content_type": head.get("ContentType", ""),
                    "last_modified": head.get("LastModified", "").isoformat()
                                     if hasattr(head.get("LastModified", ""), "isoformat")
                                     else str(head.get("LastModified", "")),
                    "etag": head.get("ETag", "").strip('"'),
                    "version_id": head.get("VersionId", ""),
                    "server_side_encryption": head.get("ServerSideEncryption", ""),
                    "storage_class": head.get("StorageClass", "STANDARD"),
                    "user_metadata": head.get("Metadata", {}),
                }
            except ClientError as e:
                metadata = {"error": str(e)}

            # Download with hash computation
            sha256 = hashlib.sha256()
            try:
                s3.download_file(bucket, key, local_path)
                with open(local_path, "rb") as f:
                    while True:
                        chunk = f.read(8192)
                        if not chunk:
                            break
                        sha256.update(chunk)
                file_hash = sha256.hexdigest()
                total_bytes += size

                entry = {
                    "source": f"s3://{bucket}/{key}",
                    "local_path": local_path,
                    "size": size,
                    "sha256": file_hash,
                    "metadata": metadata,
                    "acquired_at": datetime.now(timezone.utc).isoformat(),
                    "status": "OK",
                }
                print(f"    [{total_objects:4d}] {key} ({size} bytes, SHA256: {file_hash[:16]}...)")
            except ClientError as e:
                entry = {
                    "source": f"s3://{bucket}/{key}",
                    "status": "FAIL",
                    "error": str(e),
                    "acquired_at": datetime.now(timezone.utc).isoformat(),
                }
                print(f"    [FAIL] {key}: {e}")

            evidence_log.append(entry)

    print(f"[+] Acquired {total_objects} objects ({total_bytes / 1024 / 1024:.2f} MB)")
    return evidence_log


def acquire_s3_versions(bucket, key, output_dir=".", profile=None, region=None):
    """Acquire all versions of a specific S3 object."""
    if not HAS_BOTO3:
        print("[!] boto3 required", file=sys.stderr)
        sys.exit(1)

    kwargs = {}
    if profile:
        kwargs["profile_name"] = profile
    if region:
        kwargs["region_name"] = region
    session = boto3.Session(**kwargs)
    s3 = session.client("s3")

    print(f"[*] Acquiring all versions of s3://{bucket}/{key}")
    evidence_log = []

    try:
        versions = s3.list_object_versions(Bucket=bucket, Prefix=key)
    except ClientError as e:
        print(f"[!] Error listing versions: {e}", file=sys.stderr)
        return evidence_log

    for version in versions.get("Versions", []):
        vid = version.get("VersionId", "null")
        size = version.get("Size", 0)
        is_latest = version.get("IsLatest", False)

        safe_vid = vid.replace("/", "_")[:20]
        base_name = os.path.basename(key)
        local_path = os.path.join(output_dir, f"{base_name}.v_{safe_vid}")

        try:
            s3.download_file(bucket, key, local_path,
                             ExtraArgs={"VersionId": vid} if vid != "null" else {})
            sha256 = hashlib.sha256()
            with open(local_path, "rb") as f:
                while True:
                    chunk = f.read(8192)
                    if not chunk:
                        break
                    sha256.update(chunk)

            entry = {
                "source": f"s3://{bucket}/{key}?versionId={vid}",
                "version_id": vid,
                "is_latest": is_latest,
                "local_path": local_path,
                "size": size,
                "sha256": sha256.hexdigest(),
                "last_modified": str(version.get("LastModified", "")),
                "acquired_at": datetime.now(timezone.utc).isoformat(),
                "status": "OK",
            }
            print(f"    Version {vid[:12]:12s} | {size:10d} bytes | "
                  f"{'LATEST' if is_latest else '      '} | SHA256: {sha256.hexdigest()[:16]}...")
        except ClientError as e:
            entry = {"source": f"s3://{bucket}/{key}", "version_id": vid,
                     "status": "FAIL", "error": str(e)}

        evidence_log.append(entry)

    # Also acquire delete markers
    for marker in versions.get("DeleteMarkers", []):
        evidence_log.append({
            "source": f"s3://{bucket}/{key}",
            "version_id": marker.get("VersionId", ""),
            "type": "DELETE_MARKER",
            "last_modified": str(marker.get("LastModified", "")),
            "is_latest": marker.get("IsLatest", False),
        })

    return evidence_log


def verify_integrity(evidence_log):
    """Verify SHA-256 hashes of acquired files."""
    print(f"\n[*] Verifying integrity of {len(evidence_log)} acquired objects...")
    verified = 0
    failed = 0

    for entry in evidence_log:
        if entry.get("status") != "OK" or not entry.get("local_path"):
            continue
        local_path = entry["local_path"]
        expected_hash = entry.get("sha256", "")
        if not os.path.isfile(local_path):
            entry["integrity"] = "MISSING"
            failed += 1
            continue

        sha256 = hashlib.sha256()
        with open(local_path, "rb") as f:
            while True:
                chunk = f.read(8192)
                if not chunk:
                    break
                sha256.update(chunk)

        if sha256.hexdigest() == expected_hash:
            entry["integrity"] = "VERIFIED"
            verified += 1
        else:
            entry["integrity"] = "MISMATCH"
            failed += 1
            print(f"    [FAIL] {local_path}: hash mismatch")

    print(f"[+] Integrity check: {verified} verified, {failed} failed")
    return verified, failed


def format_summary(evidence_log, verified, failed):
    """Print acquisition summary."""
    print(f"\n{'='*60}")
    print(f"  Cloud Storage Forensic Acquisition Report")
    print(f"{'='*60}")
    ok = sum(1 for e in evidence_log if e.get("status") == "OK")
    err = sum(1 for e in evidence_log if e.get("status") == "FAIL")
    total_bytes = sum(e.get("size", 0) for e in evidence_log if e.get("status") == "OK")
    print(f"  Objects Acquired : {ok}")
    print(f"  Objects Failed   : {err}")
    print(f"  Total Size       : {total_bytes / 1024 / 1024:.2f} MB")
    print(f"  Integrity OK     : {verified}")
    print(f"  Integrity FAIL   : {failed}")


def main():
    parser = argparse.ArgumentParser(
        description="Cloud storage forensic acquisition agent"
    )
    sub = parser.add_subparsers(dest="command")

    p_s3 = sub.add_parser("s3", help="Acquire S3 bucket objects")
    p_s3.add_argument("--bucket", required=True, help="S3 bucket name")
    p_s3.add_argument("--prefix", default="", help="Object key prefix filter")
    p_s3.add_argument("--output-dir", default="./evidence", help="Local output directory")

    p_ver = sub.add_parser("s3-versions", help="Acquire all versions of S3 object")
    p_ver.add_argument("--bucket", required=True)
    p_ver.add_argument("--key", required=True, help="S3 object key")
    p_ver.add_argument("--output-dir", default="./evidence")

    parser.add_argument("--profile", help="AWS CLI profile")
    parser.add_argument("--region", help="AWS region")
    parser.add_argument("--skip-verify", action="store_true", help="Skip integrity verification")
    parser.add_argument("--output", "-o", help="Output JSON report path")
    parser.add_argument("--verbose", "-v", action="store_true")
    args = parser.parse_args()

    if not args.command:
        parser.print_help()
        sys.exit(1)

    os.makedirs(getattr(args, "output_dir", "./evidence"), exist_ok=True)

    if args.command == "s3":
        evidence_log = acquire_s3_objects(
            args.bucket, args.prefix, args.output_dir, args.profile, args.region
        )
    elif args.command == "s3-versions":
        evidence_log = acquire_s3_versions(
            args.bucket, args.key, args.output_dir, args.profile, args.region
        )

    verified, failed = 0, 0
    if not args.skip_verify:
        verified, failed = verify_integrity(evidence_log)

    format_summary(evidence_log, verified, failed)

    report = {
        "timestamp": datetime.now(timezone.utc).isoformat(),
        "tool": "Cloud Forensic Acquisition",
        "command": args.command,
        "evidence_log": evidence_log,
        "integrity": {"verified": verified, "failed": failed},
    }

    if args.output:
        with open(args.output, "w") as f:
            json.dump(report, f, indent=2)
        print(f"\n[+] Report saved to {args.output}")
    elif args.verbose:
        print(json.dumps(report, indent=2))


if __name__ == "__main__":
    main()
process.py4.8 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
Cloud Storage Forensic Acquisition Processor

Collects and analyzes local cloud storage sync client artifacts
from endpoint devices for OneDrive, Google Drive, and Dropbox.
"""

import sqlite3
import os
import sys
import json
import hashlib
from datetime import datetime
from pathlib import Path


class CloudStorageArtifactCollector:
    """Collect and analyze local cloud storage sync artifacts."""

    def __init__(self, evidence_root: str, output_dir: str):
        self.evidence_root = Path(evidence_root)
        self.output_dir = Path(output_dir)
        self.output_dir.mkdir(parents=True, exist_ok=True)
        self.findings = {}

    def find_onedrive_artifacts(self) -> dict:
        """Locate and parse OneDrive sync artifacts."""
        onedrive_paths = [
            "AppData/Local/Microsoft/OneDrive/settings",
            "AppData/Local/Microsoft/OneDrive/logs",
        ]
        artifacts = {"databases": [], "logs": [], "config_files": []}

        for user_dir in self.evidence_root.glob("Users/*"):
            for rel_path in onedrive_paths:
                full_path = user_dir / rel_path
                if full_path.exists():
                    for f in full_path.rglob("*"):
                        if f.is_file():
                            category = "databases" if f.suffix in (".db", ".dat") else "logs"
                            artifacts[category].append(str(f))

        # Try to parse SyncEngineDatabase
        for db_path in artifacts["databases"]:
            if "SyncEngineDatabase" in db_path:
                try:
                    conn = sqlite3.connect(f"file:{db_path}?mode=ro", uri=True)
                    cursor = conn.cursor()
                    cursor.execute("SELECT name FROM sqlite_master WHERE type='table'")
                    artifacts["sync_tables"] = [r[0] for r in cursor.fetchall()]
                    conn.close()
                except Exception as e:
                    artifacts["sync_error"] = str(e)

        return artifacts

    def find_google_drive_artifacts(self) -> dict:
        """Locate and parse Google Drive FS artifacts."""
        artifacts = {"databases": [], "cache_files": [], "logs": []}

        for user_dir in self.evidence_root.glob("Users/*"):
            gdrive_path = user_dir / "AppData/Local/Google/DriveFS"
            if gdrive_path.exists():
                for f in gdrive_path.rglob("*"):
                    if f.is_file():
                        if "metadata_sqlite_db" in f.name:
                            artifacts["databases"].append(str(f))
                        elif "content_cache" in str(f):
                            artifacts["cache_files"].append(str(f))
                        elif f.suffix == ".log":
                            artifacts["logs"].append(str(f))

        return artifacts

    def find_dropbox_artifacts(self) -> dict:
        """Locate and parse Dropbox artifacts."""
        artifacts = {"databases": [], "cache_files": [], "config": []}

        for user_dir in self.evidence_root.glob("Users/*"):
            dropbox_path = user_dir / "AppData/Local/Dropbox"
            if dropbox_path.exists():
                for f in dropbox_path.rglob("*"):
                    if f.is_file():
                        if f.suffix in (".dbx", ".db"):
                            artifacts["databases"].append(str(f))
                        elif "cache" in str(f).lower():
                            artifacts["cache_files"].append(str(f))

            dropbox_cache = user_dir / "Dropbox/.dropbox.cache"
            if dropbox_cache.exists():
                for f in dropbox_cache.rglob("*"):
                    if f.is_file():
                        artifacts["cache_files"].append(str(f))

        return artifacts

    def generate_report(self) -> str:
        """Generate comprehensive cloud storage artifact report."""
        self.findings = {
            "analysis_timestamp": datetime.now().isoformat(),
            "evidence_root": str(self.evidence_root),
            "onedrive": self.find_onedrive_artifacts(),
            "google_drive": self.find_google_drive_artifacts(),
            "dropbox": self.find_dropbox_artifacts(),
        }

        report_path = self.output_dir / "cloud_storage_artifacts.json"
        with open(report_path, "w") as f:
            json.dump(self.findings, f, indent=2)

        for service in ["onedrive", "google_drive", "dropbox"]:
            data = self.findings[service]
            db_count = len(data.get("databases", []))
            print(f"[*] {service}: {db_count} databases found")

        print(f"[*] Report: {report_path}")
        return str(report_path)


def main():
    if len(sys.argv) < 3:
        print("Usage: python process.py <evidence_root> <output_dir>")
        sys.exit(1)
    collector = CloudStorageArtifactCollector(sys.argv[1], sys.argv[2])
    collector.generate_report()


if __name__ == "__main__":
    main()

Assets 1

template.mdtext/markdown · 0.5 KB
Keep exploring