Cloud Forensics: Box Part 2

In the previous post (accessible here), we introduced Box, the various applications we can use with it, and browsing artifacts generated by it. In this post, we will introduce Box Edit and Box Sync which can be used to interact with Box locally on Windows. Let’s jump right in with Box Edit.

Box Edit

Box Edit allows you to edit files on Box using native applications. It is not a standalone solution. It does still require that you interact with Box in the browser but allows you to edit files that, without it, you would not be able to edit in the browser. For example, while Box does allow you to edit some files online, such as Microsoft Office and Google Drive products, others like photos or text files cannot be edited.

With Box Edit installed, you can edit these files online and it will automatically open them with the appropriate local application. For example, choosing to edit a photo online with Box Edit will cause it to be opened on your local machine with Microsoft Paint. The exact application may differ based on your configurations and environment. Any saved changes will be uploaded to the file on Box.

Following the prompts to install Box Edit will result in downloading and executing a file called BoxToolsInstaller.exe. This will install two components: Box Edit and Box Local Com Service. You will likely see prefetch and other forensic artifacts related to application execution for these items. For example, Box Edit and Box Local Com Server values are added to the User’s Run registry key (HKU\Software\Microsoft\Windows\CurrentVersion\Run). Additionally, Box Edit and Box Local Com Server sub-keys are added to the Box key in the User’s registry hive (HKU\Software\Box). These keys contain little more than the version of the application (v.3.2.13.1660 in our case) and some other configuration values.

These applications do a great job logging their own activity. Both applications have separate folders and data stored in AppData (C:\Users[User]\AppData\Local\Box). The table below summarizes the location and names of these log files for each application. Timestamps in these logs are recorded in the machine’s local time.

Application Name Directory Example Log Name
Box Edit …\AppData\Local\Box\Box Edit\Logs BoxEdit_YYYY-MM-DD.log
Box Local Com Server …\AppData\Local\Box\Box Local Com Server\Logs Box_Local_Com_Service_MMDDYYYY.log

These logs, especially the Box Edit log, retain a great deal of information. The Box Local Com Server log records network and connection debugging information relative to related applications (e.g. Box Edit). The Box Edit log includes the application launch times, file IDs of the files being edited, and whether the files were updated successfully, etc. It does not record the name of the files being edited. Instead, this information can be obtained from the related browsing artifacts (as discussed in the first Box post). We will explore the specific log entries of interest in two weeks when we develop a script to quickly process the logs into an easy to analyze format.

The Documents folder (…\AppData\Local\Box\Box Edit\Documents) contains a number of Base64 folders each of which represents an MD5 hash specific to an edited file. Within each folder, there will be a cached copy of the file with its filename intact, and within the “.metdata” subfolder, separate text files for the file ID, file name, last access time, SHA1 hash of the file, and more. Expect to also see normal forensic artifacts related to opening and modifying files. The creation date of the cached file will reflect when it was first edited on the system. The modified date of the cached file will reflect when it was last edited on the system. This is different from the Box Sync created and modified timestamps which are inherited from and synced with the created and modified timestamps of the file on the Box website.

It is important to note that items within the Box Edit Documents folder are temporary. Box Edit will delete cached versions of files after some time. However, when this happens, there will be an entry in the Box Edit log that specifies which file is being deleted by file ID. You can expect to see a message like the one below in the log when a cached file is deleted:

[2017-03-11 21:11:46,544] [1    ] [INFO ] [] - [BoxFileManager] File 131652335724 is too old, deleting now...

Finally, let’s discuss Box Sync and the forensic artifacts associated with it.

Box Sync

Box Sync allows a user to have a folder whose contents are synced between Box and the local machine. This application is installed with BoxSyncSetup.exe and after installation, by default, creates and syncs Box data to C:\Users[User]\Box Sync folder. Unlike the Box Edit cached files, files created and modified timestamps in the Box Sync folder will match those as reflected on Box. Initially, Box Sync only syncs down the files in the root folder of the Box account. It does not initially sync down files within any sub-folders from the Box service. The user must go to Box in a browser and, under the Properties option for the folder, select “Sync to Computer”. It will, however, sync folders that the user creates or copies into the local machine’s Box Sync directory.

Box has its own Box Sync folder in AppData (..\AppData\Local\Box Sync). This folder contains databases (which we will discuss momentarily), a sub-folder of logs, and a few other items. Similar to Box Edit, the logs for Box Sync hold much evidentiary value. These logs are a little denser than the Box Edit logs but do log what actions the user takes. The main Box log, Box Sync-4.0.7791.log in my test, is what we will focus on as it contains a number of important pieces of data.

The Box Sync log contains authentication entries that tell us the name of the user, their email, and the Box ID associated with the Sync folder at a given time. See the entry below for an example:

[36m2017-03-11 21:25:27.510 968 INFO    CompleteAuthenticati network_layer         JSON response received for network request with content: {u'name': u'Preston Miller', u'hostname': u'https://app.box.com/', u'enterprise': None, u'login': u'myemail@myemail.com', u'type': u'user', u'id': u'925591238'}[0m

In addition to this, the Box Sync log records details about files and folders within the sync folder. These can be found by locating the user ID and then searching for it in the log. Most file and folder related entries contained the user (also referred to as the owner) ID as well. However, all of this information is in the database and is easier to review there.

Most user activity information is captured in the sync database. The sync.db file, in the Box Sync AppData folder, stores a wealth of information about the files being synced with Box. The box_item table contains an entry for each file and folder including their Box ID, item type (file = 0 | folder = 1), the Box ID of the parent folder (0 if at the root folder), file name, Box owner ID, SHA1 hash of the file, the size (in bytes), and if it is deleted (no = 0 | yes = 1), etc. The local_item table contains similar details but more specific to the file system including the created and updated timestamps. The item_mapping_between_fs table links the local_item ID (which is a regular auto-incrementing SQLite ID) with its Box ID. Lastly, the preferences table contains much of the same user registration data as found in the Box Sync log and also stores the last sync time as a string.

The local_item table contains similar details but more specific to the file system including the created and updated timestamps. The item_mapping_between_fs table links the local_item ID (which is a regular auto-incrementing SQLite ID) with its Box ID. Lastly, the preferences table contains much of the same user registration data as found in the Box Sync log and also stores the last sync time as a string (e.g., 9:50PM, Mar 11).

That’s it! There are many other artifacts related to Box we did not cover. I left out, what I felt, were more minor artifacts such as registry keys added / modified and other databases and logs used by Box. However, between all of the artifacts we did discuss, we are now equipped to thoroughly and unequivocally explore any suspicious activity surrounding Box.

Do you use Box? Have you encountered other relevant artifacts in your investigations? Comment below with your experiences.

Cloud Forensics: Box Part 2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s