Cloud Forensics: Box Part 1

Cloud storage, like email before it, has gained wide acceptance and general adoption by consumers. Whether that is Google Drive, Amazon Drive, iCloud, Dropbox, or OneDrive, there are abundant options from which to choose from. One reason these services have become popular is the ease at which you can share and access important files on any device. That same benefit, however, can be used with malicious intent to extradite data from corporate or protected environments. In this post, we will explore the Box cloud service on Windows and discuss artifacts created as a by-product of its usage.

Before we begin discussing local artifacts related to Box, be advised that Box business plans come with an administrative console. This console can be used to generate a number of useful reports1. Reports can be generated for the following: usage logs, file statistics, user statistics, security report, folder and file tree structure, external collaborators, and shared link details. Please see the referenced link above for descriptions of each report.

With Box for Windows, one can either use the web application or, additionally, download Box Edit or Box Sync to edit and sync files locally, respectively. We will examine these three features in turn and discuss artifacts specific to them. Let’s first delve into browsing Box online and the artifacts we can glean just from a user’s browsing history.

Box Online

There are a number of relevant URLs associated with Box. These URLs can inform us if they browsed to a particular folder or previewed or edited a file online. Each folder and file in Box receive a unique ID. In my testing, folder IDs began with “18” and files began with “13”. In addition to folder and files, Box allows you to create “Box Notes” and bookmarks. The table below summarizes the URL activity covered in more detail later in the post.

Action URL
Root Folder app.box.com/files or app.box.com/files/0/f/0
Browsing to a Folder app.box.com/files/0/[Folder ID]/[Folder Name]
Previewing a File in the Root Folder app.box.com/files/0/f/0/1/f_[File ID]
Previewing a File in a Sub-Folder app.box.com/files/0/f/[Parent Folder ID]/1/f_[File ID]
Editing a File Online (Microsoft Office) app.box.com/services/box_for_office_online/4881/[File ID]/[alphanumeric value]/[File Name]?loading_page=1
Editing a File Online (Google Drive) app.box.com/services/google_docs/894/[alphanumeric value]/[File Name]#
Editing a Note app.box.com/notes/[File ID]
Clicking a Bookmark app.box.com/web_links/[Bookmark ID]
  1. When logging into Box, the user is redirected to the root of the user’s folder. The Root of the User’s folder is represented by either app.box.com/files or app.box.com/files/0/f/0 depending on how they access the root folder.
  2. When you browse to a folder you can identify the folder’s ID and name. For example, a folder called temp_folder may generate the following URL app.box.com/files/0/f/18336881964/temp_folder where 18336881964 is the folder ID.
  3. When you preview to a file you can identify the file’s ID and parent folder, but not its name. However, the name of the file will be captured in the title of the web page which can be reviewed, for example, in chrome’s History SQLite database on the local machine. An example, URL for a file called notes.txt in the temp_folder could be app.box.com/files/0/f/18336881964/1/f_131643091345.
    • If the file is in the root folder, the parent folder ID will be the number “0”.
  4. Editing a “Box Note” will generate a URL like app.box.com/notes/[File ID], where file ID starts with “13” (e.g., 133489325409).
  5. Clicking on a saved bookmark, a feature that allows you to bookmark URLs, generates a URL like app.box.com/web_links/[Bookmark ID].

Just from browser history alone, we can paint a pretty clear picture of what the user did in a given session. If access to the account in question is possible, even more information can be obtained.

globe_icon

Each user account has an audit trail which can be accessed by clicking on the globe icon on the toolbar, pictured above, or by browsing to app.box.com/updates. The timestamps in this log, at least in my case, were observed to be in PST.

Additionally, you can click on the account name in the top right corner of the toolbar and then navigate to Account Settings > Security to view active sessions. This log records the applications currently granted access to the Box account, the date they were added and last accessed, and their IP and approximate location. It is possible to sign out of a particular application by clicking the “X” button next to the record or you can simply hit the “Forget All” button.

Due to the length of this post, we will cover Box Edit and Box Sync and their artifacts in part two of this series which can be accessed here.

Do you use Box? Have you encountered other relevant artifacts in your investigations? Comment below with your experience or thoughts.

Cloud Forensics: Box Part 1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s