Dropbox Forensics

Dropbox 1.4.8 Forensics









Date (August 18, 2012) 

Disclaimer:
All this research was conducted before 8/18/2012 

Research Problem
Dropbox is a service that is used by over 50 million people.  This service allows for users to backup files to the internet and to share them with other people.  This service’s popularity and function means that it could be used to backup or transfer files that are relevant to an investigation.  The Dropbox application creates artifacts on a system that may provide pertinent information.  The Dropbox servers store many useful logs in regards to account history and a user’s file history.  Obtaining these artifacts and log files could provide an investigator with valuable evidence.

Field of Research
This research project will attempt to discover what evidence can be gathered from Dropbox, including evidence that is located on the computer(s) with Dropbox installed on them as well as evidence that can be gathered from the web portal.

Research Questions

• What artifacts are created during the installation process?
• What artifacts are left behind after Dropbox is uninstalled?
• What information can be gathered from the Dropbox database files?
• What artifacts are created when a file is uploaded or downloaded?
• What evidence is there when a file is shared?
• What logs does Dropbox create and how accurate are they?
• Are there any other sources of information relating to Dropbox?

Prior Work
Before I began working on Dropbox, I read the Dropbox Forensics article in Forensic Focus written by Frank McClain.  This article went over some of the basics of Dropbox and what places an investigator could look for information.  None of his findings are in my paper without being explicitly labeled as such.

Tools Used

• Dropbox 
• The software being tested
• Winhex
• Used to view files
• Hexedit
• Used to change files to see the effect
• VMware 
• Used to create the test machines
• Guidance Software’s Encase 6.19
• Used to analyze the virtual machine
• ProcessMonitor 
• Used to monitor Dropbox
• Regshot 
• Used to look at changes to the registry
• Wireshark 
• Used to monitor Dropbox communications 
• Python 
• used to create test files to be uploaded and downloaded
• Windows 7 
• The operating system used
• Chrome 
• Used to view web portal
• Internet Explorer
• Used to view web portal

Installation
Files and Folders Created During Installation
These are the files created during the installation of Dropbox.  To capture this information I ran Process Monitor, a tool from Sysinternals that records all activity on a computer’s hard drive.  A computer with these files is likely to have had Dropbox installed at one point.

These are the database files:   

• C:\Users\jviens\AppData\Roaming\Dropbox\photo.dbx
• C:\Users\jviens\AppData\Roaming\Dropbox\photo.dbx-journal
• C:\Users\jviens\AppData\Roaming\Dropbox\sigstore.dbx
• C:\Users\jviens\AppData\Roaming\Dropbox\sigstore.dbx-journal
• C:\Users\jviens\AppData\Roaming\Dropbox\tmphhlxvb
• C:\Users\jviens\AppData\Roaming\Dropbox\tmphhlxvb-journal
• C:\Users\jviens\AppData\Roaming\Dropbox\unlink.db
• C:\Users\jviens\AppData\Roaming\Dropbox\config.dbx
• C:\Users\jviens\AppData\Roaming\Dropbox\config.dbx-journal
• C:\Users\jviens\AppData\Roaming\Dropbox\filecache.dbx
• C:\Users\jviens\AppData\Roaming\Dropbox\filecache.dbx-journal
• C:\Users\jviens\AppData\Roaming\Dropbox\host.db
• C:\Users\jviens\AppData\Roaming\Dropbox\host.dbx

These files seem to be used to engage in communication between computers: (CryptNetUrlCache)

• C:\Users\jviens\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
• C:\Users\jviens\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019

These files are used by the Dropbox program:

• C:\Users\jviens\AppData\Roaming\Dropbox\bin\Dropbox.exe
• C:\Users\jviens\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
• C:\Users\jviens\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
• C:\Users\jviens\AppData\Roaming\Dropbox\bin\DropboxUpdateHelper.exe
• C:\Users\jviens\AppData\Roaming\Dropbox\bin\itag
• C:\Users\jviens\AppData\Roaming\Dropbox\bin\msvcp71.dll
• C:\Users\jviens\AppData\Roaming\Dropbox\bin\msvcr71.dll
• C:\Users\jviens\AppData\Roaming\Dropbox\bin\Uninstall.exe

There are a number of files in the path “:\Users\jviens\AppData\Roaming\Dropbox” that are deleted after installation finishes. I did not list them because they did not seem important.  For a full list email jviensblog@gmail.com
There are files that also seem to be meaningless that stay on the computer.  They can be found at “C:\Users\jviens\AppData\Local\Temp” I did not list them because they did not seem important.  For a full list email jviensblog@gmail.com
These files have an unknown purpose and which I could not parse.  Often they have empty

These are the link files installed.  The fourth one lets Dropbox run on startup.

• C:\Users\jviens\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox\Dropbox Website.URL
• C:\Users\jviens\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox\Dropbox.lnk
• C:\Users\jviens\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox\Uninstall.lnk
• C:\Users\jviens\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk

Registry Changes

Process Monitor
The following information comes from the logs created by process monitor while Dropbox was installing.  To generate this list I used the Process Monitor filters for RegSetValue, which is the process that changes registry value, and the Success result, which means that the registry was changed. I then deleted duplicates. I did not list them because they seemed unnecessary.  For a full list email jviensblog@gmail.com


Regshot
I also ran Regshot, a tool that compares different windows registries, to see what changes were made during the install.  Regshot reported that approximately 160 keys were added.  The exact changes made during install vary, even when I ran the install on the same snapshot of the same virtual machine with the same installation .exe within a few minutes.  I can not explain these differences.  I didn’t find any method of determining if the installation used a previous account or created a new one by looking at the registry.  I did not list them because they seemed unnecessary.  For a full list email jviensblog@gmail.com

Regshot noted several registry changes when an image file is added to the Dropbox folder, though these all involve recent_docs, so this does not seem to be specific to Dropbox.
Artifacts Left Behind When Dropbox Is Uninstalled
Windows Registry
The following entries are left over after deleting Dropbox.  I used Regshot to compare the registry before installation and after deletion.  I only included those entries which contain the phrase Dropbox and appear on more than one computer. I did not list them because they seemed unnecessary.  For a full list email jviensblog@gmail.com



Dropbox Main Folder
The Dropbox folder that syncs to the online account isn’t changed at all.  It is exactly as it was before Dropbox was deleted.  The installation directory in the Appdata/Roaming folder remains partially intact, but I am currently unable to parse it.  

Cache
This section deals with the Dropbox cache, located at C:\Users\username\Dropbox\.dropbox.cache.  This file can only be viewed if “Show hidden files, folders, and drives” is turned on and “Hide protected operating system files” is turned off.

Recovering Deleted Files
If a file is deleted by a different computer attached to the same account while both computers are connected to the Dropbox cloud, a folder will be created with the name being the date, using the year-month-date format.

The highlighted folder is an example of a folder containing files deleted on the tenth of July, 2012.
 

 All of the files deleted on that date will go in that file.  Each folder has a file called “entries.log” along with the deleted files.  Each deleted file will have an appendix affixed to it.  Dropbox will purge these folders every three days.

 This is a screen shot taken from the deleted files folder.  The highlighted file is the entries.log file.




Entries.log
The entries.log file contains information on the files that were sent to the cache.  An entry is added to the log every time a file is deleted.  If a file with the same name and datafield as a file already in the cache there will be an entry made in the log, but this will not result in a second file appearing in the cache.  Each time a file is added to the cache a line or two is added to the log, if viewed with notepad.  I have deleted files with different names and data fields to get the same entry and have deleted the same file twice and gotten completely different results.  Experiments involving files with slightly changed filename usually result in an entry that matches after anywhere between the first 4 through 21 characters.  Other than a possible method of telling how many files were deleted, I have not gotten any usable information from this file.

Example of Entries.log
 
 
File Name Appendix
A file that is moved into the cache will have an extension added to the end of the file.  The extension is “(deleted hexadecimalnumber – hexadecimalnumber – hexadecimalnumber)”.  The first number is the modified time from the MACE file attributes which is then converted into UNIX Time and displayed in hexadecimal notation.  The second number is the file size in bytes displayed in hexadecimal notation.  The third number acts like a hash though I do not know the algorithm.   To demonstrate I deleted a file named “shazam0s”.  The deleted version had this name “shazam0s (deleted 4fe09d20-5f5e100-c6ce2398)”  The first number in decimal notation is 1340120352.  Putting that number through a Unix time converter reveals the date “Tue Jun 19 2012 11:39:12”.  The converter I used corrects for time zone, but not all will.  The second number in decimal notation is 100000000, which divided by 1024 is 97656 KBs



Files Being Downloaded
Files that are being downloaded do not download to the sync folder.  Dropbox will download the file as segments in the cache.  The names of these files will be long, seemingly random characters, though the first few are sometimes alphabetic.  They have no file extension.  The file data is a compressed version of the original file.  The file size changes depending on file size of the original file and the reducibility of the data.

After all the segments finish downloading they will be decompressed and assembled into a temporary file with a random name.  This file will have the exact data field of the original file.  Recovering these is difficult because normally they are only in the cache for the instant it takes for the files to be renamed and moved into the sync folder.  If files are added to the sync folder that causes it to reach its data cap the download will complete, but Dropbox won’t move the .tmp file into the sync folder.

This image was taken during a download:
 

Encase Examination
The $I30 file shows the short file names of the .tmp files that were downloaded last.  The randomness of the file names prevents this log from revealing anything more than the fact that something was deleted.  I was unable to recover the deleted segments or .tmp files using undelete utilities or by looking in the recycle bin.  Files moved directly into the Dropbox cache are not detected or uploaded by Dropbox.  If deleted they act normally and arrive at the recycle bin.

File Syncing
Registry Changes
The only changes made to the registry when a file was uploaded or downloaded were to the recentdocs entries.
IPs relating to Dropbox
All of the following addresses were captured during Dropbox syncs using Wireshark.  I found no difference between uploaded and downloading files when it comes to the IP address of the server.  All of these addresses have been confirmed by going to the address using a web browser.
Homepage Addresses

This section shows the IP addresses that links to a clone of the homepage.  Some of these clones have dead links for the images and videos.  Many of the addresses were found using a browser.

199.47.219.152 – 199.47.219.160
199.47.216.156 – 199.47.216.185

The image on the left is a crop of the intact Dropbox.com page, while the image on the right is taken from a clone of the Dropbox homepage.  Some clones look like the left image.  

    

.





Fileserver Addresses
These addresses are used to upload files to the cloud and download files from the cloud

107.20.249.158
174.129.222.36
174.129.195.79
107.22.193.138
204.236.220.31
50.16.208.108
Going to one of these addresses results in this image



Unknown Address
199.47.217.144  
Going to this address results in a blank page.  Research showed it to be owned by Dropbox and under the hostname sjc-not2.sjc.dropbox.com.  It responds to pings.

Process Monitor of Upload
A Process Monitor capture showed a lot of write file type hits to the sigstore.dbx and sigstore.dbx-journal.  Dropbox also had a pattern of using CreateFile, QueryNetwork, OpenInformation, CloseFile, ReadFile, in that order, with the path being the file that was being uploaded.  There was also a pattern of CreateFile, ReadFile, ReadFile, ReadFile, CloseFile targeting the file being uploaded.

The following pattern was recorded during the upload

CreateFile C:\Users\jviens\Dropbox\.dropbox.cache\one of the temporary download files
CreateFile C:\Users\jviens\Dropbox\.dropbox.cache\ one of the temporary download files LockFile C:\Users\jviens\AppDate\Roaming\Dropbox\filecache.dbx
LockFile C:\Users\jviens\AppDate\Roaming\Dropbox\filecache.dbx
UnlockFileSingle C:\Users\jviens\AppDate\Roaming\Dropbox\filecache.dbx
CreateFile  C:\Users\jviens\AppDate\Roaming\Dropbox\filecache.dbx-journal
QueryStandardInformationFile C:\Users\jviens\AppDate\Roaming\Dropbox\filecache.dbx
Readfile C:\Users\jviens\AppDate\Roaming\Dropbox\filecache.dbx
QueryStandardInformationFile C:\Users\jviens\AppDate\Roaming\Dropbox\filecache.dbx
CreateFile C:\Users\jviens\AppDate\Roaming\Dropbox\filecache.dbx-wal
QueryStandardInformationFile C:\Users\jviens\AppDate\Roaming\Dropbox\filecache.dbx
UnlockFileSingle C:\Users\jviens\AppDate\Roaming\Dropbox\filecache.dbx.

Dropbox on Startup
When Dropbox starts it opens communications with a homepage server.  There will be roughly 20 packets of communication between the homepage server and client.  If there are no files to be synced there will only be those 20 packets, other than LAN SYNC packets.  If there is something to sync then the syncing process will begin.



Compression
Dropbox compresses files that are being uploaded and downloaded.  If a file with a random data field is uploaded the total traffic will be roughly the same as the size of the file.  If the file has a highly predictable data field, such as one whose data fields are all zeros, the traffic will be significantly less than the file size.  

Proving a File is Already in the Dropbox Cloud

Different Users
There is no way to know if a file has already been uploaded to the Dropbox cloud from the user end.  Dropbox used to hash all files uploaded to the cloud and all files ready for upload.  If there was a match the cloud would link to the previously uploaded copy and skip the upload.  This worked even if the upload was done by another user.   A method was developed where a user could send forged hashes to get Dropbox to get access to a file they never had.  After this method was used for software piracy, Dropbox broke the feature.  I have verified that Dropbox will not skip an upload even if another account has a copy of the file.

Same User
This feature still works within the same account.  I have proven that uploads will be skipped if a copy has already been uploaded to Dropbox.  The hash check uses the data field.  This works even if the file has been permanently deleted, and all evidence that file was connected to that account is gone from the client’s point of view.  This suggests that permanently deleted files are still attached to the account on the server end.  Investigators with access to the account can use this to prove a file was uploaded to that account at some point.   Investigators with warrants can possibly get more information from an account than what is available from the client end.

Unlinking a Computer from a Dropbox Account

Unlinking does not delete the Dropbox program files.  Dropbox will still launch on startup, but instead of syncing with an account it will ask for the user to create a new account or connect to a new one.    There are no significant registry changes.

Parsing the Database Files
The database files are the .db and .dbx files that can be found at the path C:\Users\jviens\AppData\Roaming\Dropbox.  These files most likely contain very relevant information, but I was completely unable to get any meaningful information from them.   The config.db file has the line “SQLite format 3” at the start of the file.  Other researchers, such as Frank McClain at Forensic Focus, have used SQLite 3 to parse the files one year ago.  The SQLite software that I used to try to open the file all failed to open any file except the config.db.  The software said that the files weren’t SQLite 3.  This suggests, but does not prove, that Dropbox has migrated from SQLite 3 or has added in some measure of security to prevent the files from being opened.

I also found a suite of command line tools called Dropbox Reader.  Dropbox reader is a program that was released by cybermarshal, a branch of ATC-NY.  This program is designed to parse the files that are created during the installation and usage of Dropbox.  It no longer works.  The white paper and this software package were written when Dropbox used SQLite 3 files.
Adding Files Via Email
There is no native Dropbox support for uploading files via email.  There are programs that can log into an email client and download the attachments to a selected folder.  Dropbox will consider any files downloaded this way to be the same as the user moving them into the syncing folder manually.  Any metadata left behind from the download utility is completely independent of Dropbox.

RAM Analysis

u’uid’:


1-1 85182983
1-2 85182983
2-1 85386010
2-2 85386010
3-1 89348615
4-1 90015815

This was found in most captures.  It appears that the number is based on when the account was made, and is likely a unique identifier.
Username
The username was always in RAM if Dropbox was installed and running.  There were no search terms that always found it and sometimes the username wasn’t near any landmarks.  Possible search terms:

• The email account
• div class="name"
• social media 
• Get free space! Username DropboxSharingLinks
• (U’)userdisplayname
• (U’)userfname (only shows the first name)
• From(
• /From

Dropbox email
The email account associated with Dropbox was always in RAM if Dropbox was installed and running.  There were no search terms that always found it and sometimes the username wasn’t near any landmarks.  Possible search terms:

• The username
• From(
• /From
• Social media
• Gmail
• login_email
• remember_me
• email=u’
• verify your email

Password
I have replaced the actual password with password.

ail=lcdidropbox@gmail.com&login_password=password&cont=%2Fhome]
...l.o.g.i.n._.e.m.a.i.l.......l.c.d.i.d.r.o.p.b.o.x.@.g.m.a.i.l...c.o.m.......l.o.g.i.n._.p.a.s.s.w.o.r.d.....password
l.o.g.i.n._.p.a.s.s.w.o.r.d.....password...s.w.o.r.d.....l.o.g.i.n._.e.m.a.i.l...login...https://www.dropbox.com/login

I was only able to capture the password of a computer that did not log in to the web portal one time.

Below is the text around where the password was found.

u'displayname': u'WIN-98L9PR2G9NVpassword', u'email': u'lcdidropbox2@gmail.com', u'excserx. .: u'dl-debug37.dropbox.com', u'host_id': u'd46ac6aad92825e1d7b90a49da1588d6',
AUTHENTICATE:  u'displayname': u'WIN-98L9PR2G9NVpassword',
       4.336 | AUTHENTICATE:  u'email': u'lcdidropbox2@gmail.com',
       4.336 | AUTHENTICATE:  u'excserver': u'dl-debug37.dropbox.com',
       4.336 | AUTHENTICATE:  u'host_id': u'd46ac6aad92825e1d7b90a49da1588d6',
       4.336 | AUTHENTICATE:  u'host_int': 266728085,

General Information

These terms are good for more than one type of information

• U’
• Dropbox(.com)
• Filenames/folders/paths in the Dropbox folder/Dropbox hidden folder
• client-lb

When Dropbox is running the username and account email will be in RAM.  If the webportal is used the password will be in RAM.  Finding the username and account email can usually be done without prior knowledge.  Finding the password without prior knowledge is only possible 1/3rd of the time.



Web Portal
The web portal is the online form of Dropbox.  This can be accessed by any computer with internet access, account information, and correct login information.  All of the features in this section are only available through the webportal and cannot be discovered by investigating an image of the computer’s hard drive.  
Dropbox Menu
The Dropbox Menu consists of the options highlighted in yellow and pink.
 

File Viewing
The default screen after logging in to the Dropbox website is the file viewer.  This screen shows all folders in alphabetical order followed by all files in alphabetically order.
This image shows several different directories as viewed through the web portal.  The leftmost column is an icon that is based on the file extension.  The kind column is based on file extension and can be spoofed.  The Modified column is taken from the MACE values and can be spoofed as seen by the purple highlight.  The last column isn’t labeled but shows a paperclip if the user generated a URL link for public viewing.

  

Files can be viewed through the web portal.  If a user doubleclicks on a text or image file it will open up in their browser.  There is no limit to the size of a file that can be viewed, and Dropbox doesn’t check to see if the user already has the file in their sync folder.  Other file types, such as .zip and .py, will be downloaded.  The URL follows the following format:
https://dl-web.dropbox.com/get/file.name?w=seeminglyrandomlettersandnumbers
The URL is consistent for the same file, so I don’t think the section of the “w=” is actually random, but based on some aspect of the file.    

Sharing

Note: in order to use the share folder function the user must prove they control the email account by clicking on a link sent to that email.

Below that is the Sharing menu.  This menu shows all of the shared folders that the account has access to.  The upper right dropdown allows the user to switch the view from current folders to past folders.  Past folders are greyed out and the user can choose to rejoin them.  This will even show folders that have been permanently deleted.  The option to the left allows the user to create a new shared folder from a new or previously created folder.

 

This is the view of past folder connected to the account.  This screen allows the user to rejoin a folder or remove it from this list.  The yellow highlight shows the first name of the only account still using that shared folder.

  


This is the options screen for a shared folder.  This can be reached through the file viewing screen or the shared folder screen.  This shows each account that is sharing the folder with their username.  Hovering over a name will show the email address that is attached to that account.  The two highlighted options are reserved for the owner of the shared folder.  Each folder has one owner.  The owner can kick accounts out of the folder, choosing whether that account’s copy of the shared folder is deleted and the files permanently deleted, or simply no longer sync with the rest of the folders.  The owner can choose to allow the other accounts to invite new accounts into the folder and this can be changed at any time.  The owner can also make another account the new owner and become a normal account.  The default owner is the account that created the share folder.  The owner leaving the shared folder doesn’t stop that account from being the owner.  The extra privileges will not be moved on to somebody else and if that account rejoins later they will immediately have ownership privileges.



Shared folders are folders that can be accessed by more than one account.  Any account which shares the folder can add, delete, or edit files which are applied to the folders of the rest of the accounts sharing that folder.  Normal accounts will only be able to email the other account’s email address using Microsoft Outlook, though this is probably based on my computer’s default settings.

 The only change that won’t be applied to other accounts is a change to the folder name.  The default name of the folder for new users is the name of the folder when it was first shared, even if nobody kept it that name.

Each shared folder has a file in it called .dropbox.  This file has a number inside that is unique to that folder.  This number is appears to be based on the time or how many shared folders were previously created.  This could be used to identify the creation time of a folder if a folder with a similar number had a known creation time.  Deleting or changing this file doesn’t seem to do anything, and it will be repaired next time the Dropbox program starts up.

The highlighted file is the .dropbox file.  The number of this folder is 145761331.


   
The only way to leave a folder, outside of being kicked, is to delete the folder through the desktop or web client.  Both methods of leaving cause the event log to say that the account left the folder, but getting kicked wont delete the file, a useful tell.  The folder can be rejoined by getting a second invitation or by using the undelete function of the file viewer or the shared folders tab.

Links
This menu allows the user to view a list of all files and folders for which links have been created.  This menu also allows the user to remove links that already exist, making them stop functioning.



Links are URLs generated by Dropbox which allow anyone with a web browser can go to the link and download the files.  Dropbox will display any images or text files that are of a recognized format.  There is no way to know if a file is being viewed or downloaded without access to the viewing/ downloading computer.  The URLs have a semi-predictable format.  HTTPS:??www.dropbox.com/s(h)/randomlettersandnumbers/file.name.  S/ is used for files and SH/ is used for folders.  The URLs below are for the same file, just unlinked and relinked.
https://www.dropbox.com/s/v8u4ibdv9cs8gz9/eve.txt
https://www.dropbox.com/s/9rykrs4hilpb0wa/eve.txt

Logs viewed by a computer that does not have Dropbox installed and was not logged in to Dropbox.



This image was taken after viewing a link that was removed



This image was taken after trying to view the above URL with a character changed. I don’t know if Dropbox remembers old links, or uses a predictable URL generator and my alteration results in an impossible URL.





Event Log
The Dropbox Event log tracks all of the activity that is connected to that account.  It says which account did the action, what the action was, what the target of the action was and the time of the action.  Dropbox will group actions that took place in the same sync and only write one entry.  The timestamp shows the time an action ended.  If the file(s) are particularly large or numerous, or the syncing process is interrupted this can cause the timestamps to be off by significant amounts of time.

This is an example event log.



Get Started
This menu item goes to a page for new users.  It has a list of 7 things the user can do, and the promise that they will have 250 MB added to their cap if they complete five, which this account did.



Upper Right Buttons
Upload
The leftmost button allows a user to upload a file directly to Dropbox.  This does not require Dropbox to be installed and works for files up to 100 MB in size.  If the user is using Google Chrome they can drag and drop the files into the webpage to start the upload.  
New Folder
The next creates a new folder.
Share Folder
The next shares a previously existing folder.
Show Deleted Files and Folder
The rightmost button displays deleted directories.  These files are greyed out and do not have their modified time displayed.  The files still have their version history and can be undeleted at any time.  Below is an image of a section of deleted files, and one undeleted file, Calvin.jpg.




Permanent Deletion
A user may select a file and use a feature called “Permanently Delete”.  This feature will stop that file from being viewable.  This feature will also delete any entries in the event log that mention that file.  This cannot be undone and is hard to detect.  After a page in the event log gets full and has a full page between it and the newest page no more entries will be added to it.  If some or all of the entries on that page are deleted through the permanent delete feature then that page will stay half or fully empty.  These pages are proof that the files were permanently deleted.
The following picture is of an event log page that had 28 entries before a mass permanent deletion.


Settings

To reach the settings menu for dropbox, first click on the account name in the upper right.

 

Then the settings dropdown
 
This is the default Settings screen.

 

The settings tab has 5 tabs.  The first tab simply shows the total memory usage and a link to upgrade the account.




The second tab lists all of the account information that can be changed.  




The third tab shows a list of computers that have connected to this account.   The left column shows the name of the computer.  This column can be changed; the two highlighted names were originally “WIN-KLOVQAEMF81”.  The next column shows the last time that computer synced with the server.  The next column offers to rename the computer.  The last column allows the account to unlink the computer, preventing syncing.  This option will remove that computer from this list.

 


The fourth tab, Bonus space shows two methods to get more space and how much space the account has already unlocked.

 

The fifth tab is called My apps, and shows a list of all apps that have been attached to this account.  They cannot be downloaded from this page, and they are all third party.  None are installed with a default account.    




Previous Versions (Version History)

This is a feature that allows a user to restore a file to a previous version.  Folders do not have a version history.  This feature considers a file to be anything with the same folder path, name, and extension.  If a file is renamed the version history will consider the file to have been deleted and a new file to have been created.  If a file replaced another file with the same name version history will say the file was edited.  A file that is copied is considered to have been deleted and a new file created, while a file that is moved will retain the version history some of the time.  Each entry shows the name of the user who did the editing.  This is followed by the method, which is “web” if a browser was used, or the computer name if a computer was used.  The next column is the time of the change, which contains the same inaccuracies as the Event Log.  The last column displays the size of the file.    


The following image shows the history of “Calvin.jpg”.
 



Conclusion
Dropbox forensics can reveal a lot of information.  This is largely dependent on getting access to the evidence that is found on the cloud.  There is information to be found on the computer, but in most situations the cloud will have all the local evidence and much more.  The only anti-forensics tool that comes with Dropbox is the permanent delete feature and its ability to delete entries in the event log.  I never broke the security on the database files so I don’t know what they contain.  I also don’t know what information Dropbox has that is not available to the user.  

Further Research Topics
Multiple computers can share one Dropbox account.  Can the existence of other computers be determined? How much information can be gained about them?
What artifacts are left by network sharing?
What information can be gathered on the other accounts sharing a folder?
Is there a reliable way to recover deleted or temporary files?
How can the account that was attached to an unlinked computer be determined?
How can the information in the Dropbox install directory be parsed?
What is the complete list of IP addresses that are used by Dropbox?
What are the differences in investigating Dropbox on different operating systems?
What are the effects of the changes Dropbox made after publication?
What information does Dropbox have that can only be gotten with a warrant?

Works Cited
"Dropbox Reader." Dropbox Reader. Cybermarshal, n.d. Web. 13 June 2012. <http://www.cybermarshal.com/index.php/cyber-marshal-utilities/dropbox-reader>.
McClain, Frank. "Dropbox Forensics." Forensic Focus (2011): n. pag. Web. 13 June 2012.
"CryptNetUrlCache Folder." Computer Security and Help. N.p., n.d. Web. 12 Feb. 2013.