Forensic Analysis of Dropbox Data Remnants on Windows 10

Abstract

Cloud storage services are popular among businesses and individuals as they offer convenience in storage and sharing of files at an affordable price. However, cloud storage is subject to abuse by cybercriminals, and coupled with the difficulty in getting artefacts of evidential value from cloud storage providers, artefacts from client computer can provide potential evidence on which a case can be based. This research investigates artefacts left behind by Dropbox, a popular cloud storage application, on Windows 10. Through live and dead forensics, the study determines Dropbox artefacts on Windows 10 for various scenarios including installation, file upload, file deletion, and uninstallation. By identifying these remnants, this work contributes to a better understanding of the artefacts that are likely to remain for digital forensics investigators. Potential information sources identified during the research include the Dropbox client software installation files, synchronisation folder, browser, link files, prefetch files, registry, and network traffic. The artefacts identified in the study can assist in criminal investigation involving Dropbox as they provide useful information in recreating the scene of crime, tying a suspect to the crime, and creating a timeline of events.