The forensic artifacts left by Dropbox and Google Workspace on Windows endpoints, API-based investigation techniques for enterprise deployments, and the legal considerations when requesting third-party cloud storage data.
Sign in to mark this article as read and track your progress.
Cloud synchronisation services are ubiquitous in both corporate and personal environments. Dropbox, Google Drive, OneDrive, and Box create rich trails of user activity — what files were accessed, when, from which devices, and what was shared with whom. These services are both targets of investigation and sources of evidence.
When Dropbox is installed on a Windows endpoint, it leaves the following forensic artifacts:
| Artifact | Location | Forensic Value |
|---|---|---|
| Sync engine database | %APPDATA%\Dropbox\instance1\sync_engine_db.sqlite | Complete file sync history, timestamps, file hashes |
| Config database | %APPDATA%\Dropbox\instance1\config.dbx | Account email, device ID, sync preferences |
| Filecache database | %APPDATA%\Dropbox\instance1\filecache.db | Local cache of file metadata |
| Event logs | Windows Event Log (App) | Dropbox process start/stop events |
| Prefetch files | C:\Windows\Prefetch\DROPBOX.EXE-*.pf | Evidence of execution timestamps |
| LNK files | Recent files + user shell folders | Recently accessed Dropbox files |
| NTFS journal | $UsnJrnl (MFT) | File creation, rename, and deletion events |
For corporate Dropbox Business deployments, the Dropbox Business API provides:
Key investigative questions for Dropbox:
Google Drive File Stream leaves different artifacts from the native sync client:
| Artifact | Location | Forensic Value |
|---|---|---|
| File System | G:\ virtual drive or %LOCALAPPDATA%\Google\DriveFS\ | Directory listing of synced files |
| Content cache | %LOCALAPPDATA%\Google\DriveFS\[account_hash]\content_cache\ | Cached file content (LevelDB format) |
| Metadata | %LOCALAPPDATA%\Google\DriveFS\[account_hash]\metadata_sqlite_db | File metadata, sync state |
| Registry | HKCU\Software\Google\DriveFS | Account association, sync preferences |
For Google Workspace (formerly G Suite) deployments:
| Data Source | Access Method | Evidence Provided |
|---|---|---|
| Admin Console Audit Logs | admin.google.com / Reports | Drive file events, sharing events, login events |
| Google Vault | vault.google.com | Litigation hold, export of Gmail and Drive content |
| Reports API | Admin SDK | Programmatic access to audit events |
| Drive API | OAuth service account | File metadata, revision history, sharing permissions |
Google Workspace Vault is the primary tool for legal holds and evidence export:
| Capability | Dropbox Business | Google Workspace |
|---|---|---|
| Audit log retention | 180 days (Business Plus: 365 days) | 6 months (Vault extends indefinitely) |
| File version history | 180 days by default | Unlimited revision history |
| Legal hold support | Team Folder restoration | Google Vault with indefinite preservation |
| Remote wipe | Remote device unlink | Remote wipe of Google account data |
| API access for investigators | Events API + Team API | Reports API + Vault API + Drive API |
| Law enforcement cooperation | transparency.dropbox.com | transparencyreport.google.com |
When requesting data from Dropbox or Google:
Cloud storage services leave rich forensic artifacts on endpoints and maintain server-side audit logs that are often more complete than anything available on the device itself. Know the artifacts for each platform, use API-based investigation for enterprise deployments, and initiate preservation requests immediately — retention periods are finite and not extendable without legal action.