First things first — I owe you an apology for going quiet.

Life got a little hectic on the personal side and I had to step away for a bit, but I'm back now and planning to write and post a lot more frequently going forward.

Before we get into today's topic, I want to mention something quickly — www.cyberengage.org/ started as just sharing knowledge, and honestly it's grown into something bigger than I expected. Because of that, I'm actually looking for writers who can contribute articles.

If you're in writing for the blog, send me an email (apatel19800@gmail.com)— I'm happy to pay per article.

---------------------------------------------------------------------------------------------------------

If you've already read the complete cloud forensics guide — covering what artifacts to collect and how to investigate Box, Google Drive, and OneDrive — you know the foundation. If you haven't, go check that out first because today's article builds on it.

Today we're going a step further and talking specifically about collection — how you actually go about acquiring this data, what tools to use, what trips people up, and why cloud drive forensics is genuinely different from regular Windows acquisition.

---------------------------------------------------------------------------------------------------------

First, Understand What You're Actually Dealing With

Back in the early days, cloud drive apps were simple. They synced a local folder to the cloud.

That's not how it works anymore.

The new generation of cloud apps lets you see every file in your cloud drive — even ones that aren't actually downloaded to your machine. You browse them, interact with them, but they're not sitting on the local disk.

Here's how each of the big three handles it, because they all do it differently:

• OneDrive is the most straightforward. When a file is cached locally it's physically in the OneDrive folder and a forensic image will capture it. Files that are cloud-only won't be there, but OneDrive at least shows you a Status column — blue cloud icon for cloud-only, green checkmark for locally available.

• Box Drive is trickier. It uses something called a callback filesystem — essentially a reparse point that redirects all filesystem activity in the Box folder to a virtualized volume. If you image the C drive, the Box folder looks completely empty. If the user is logged out or the app isn't running, the Box folder won't even exist.

• Google Drive for Desktop takes it even further. It creates a virtual mount point but only when the app is running and the user is authenticated. And here's a fun wrinkle — the mounted filesystem is FAT32, which breaks some acquisition tools including KAPE in certain configurations.

---------------------------------------------------------------------------------------------------------

So How Do You Actually Collect This Data?

If you have access to a live system with the user logged in, tools like FTK Imager (use "Contents of a Folder") or KAPE can logically acquire whatever's in that virtualized filesystem. Requesting those files may also trigger the app to automatically download cloud-only files and cache them locally — which sounds helpful but comes with two serious caveats.

• First, automatically pulling files from the cloud could push you outside your legal scope of authority. Get legal guidance before you let that happen.

• Second, those newly downloaded files get written to the disk, potentially overwriting unallocated space that might hold deleted evidence. You gain files and lose evidence at the same time.

Going straight to the cloud and acquiring directly from the cloud instance is often cleaner — but that needs credentials and the right tooling. And it's not always the better option. If the user was running encryption that keeps data encrypted in the cloud, the local copy — even if incomplete — might be the only readable version you'll ever get.

---------------------------------------------------------------------------------------------------------

KAPE for Cloud Storage Collection

KAPE, written by Eric Zimmerman, handles cloud storage collection well when used correctly. Box, Dropbox, Google Drive, and OneDrive all have dedicated target files in the default KAPE installation.

They're split into Metadata targets and UserFiles targets so you can grab just the database metadata without accidentally pulling gigabytes of user documents.

The compound targets — CloudStorage_Metadata.tkape and CloudStorage_All.tkape — reference all the individual app targets at once.

---------------------------------------------------------------------------------------------------------

API-Based Collection: Going Direct to the Cloud

Every major cloud provider exposes an API and there are forensic tools built around them.

• Google Takeout lets the user (or investigator with credentials) download everything — Drive, Gmail, contacts, calendar, Chrome history. Data comes out zipped with the original folder hierarchy intact. Google Workspace adds Admin Data Export, which lets admins export everything for every user in the organization — though it's all or nothing, no filtering.

• F-Response is a commercial tool that supports all the major platforms. Add credentials and it writes the cloud content to a VHD or local share.

• Magnet AXIOM has extensive cloud support built in — OneDrive, Google, Dropbox, Box, iCloud and more. With Google Workspace admin credentials it can collect across an entire organization. When the API allows it, AXIOM also pulls usage logs.

Many providers keep multiple versions and expose them via API. Google Drive is a good example. If you only need to dig into a few files, manually browsing the web interface while recording your screen is honestly sometimes the quickest option.

---------------------------------------------------------------------------------------------------------

The Windows Artifacts You Still Shouldn't Skip

Here's what's easy to forget when you're deep in cloud collection mode — the machine itself is still full of evidence.

• Browser history is often the first clue a cloud app was even in use. Cloud storage URLs are surprisingly rich. They can show file sharing activity, access to deleted items, version history browsing, specific files opened, searches conducted, and even the user's email embedded in URL parameters.

• LNK files can show you files that used to be in a cloud folder even if they're long gone. A LNK referencing a OneDrive path is evidence that file existed there.

• The Recycle Bin is worth checking specifically for cloud storage paths. Deleted items often end up here before being permanently removed.

• Registry searches for terms like "OneDrive", "Google Drive", "My Drive", "Dropbox", and "Box" across user hives can surface files and folders that were once accessed — including the drive letter Google Drive mounted its virtual filesystem on.

• Alternate Data Streams — Dropbox tags files with ADS markers. Copy that file anywhere within NTFS and the Dropbox fingerprint follows it.

---------------------------------------------------------------------------------------------------------

Bottom Line

Cloud drive forensics is complex because the apps themselves are designed to blur the line between local and cloud. The strategy that works for OneDrive won't work for Box.

Plan before you acquire, cross-reference the local artifacts with your cloud collection, and don't walk past the browser history and LNK files — they'll often tell you things the cloud API won't.

--------------------------------------------Dean-----------------------------------------------------------

And if you want to see the full cloud forensics guide covering what artifacts exist across Box, Google Drive, and OneDrive — that's linked below.

https://www.cyberengage.org/courses-1/mastering-cloud-storage-forensics%3A-google-drive%2C-onedrive%2C-dropbox-%26-box-investigation-techniques