Hunting for Nextcloud Cloud Storage Forensic Artifacts on Endpoints | by Oleg Skulkin

Hunting for Nextcloud Cloud Storage Forensic Artifacts on Endpoints 


Nextcloud is free and open source suite of client-server software for creating and using file hosting services, so it can be easily installed on a private server or used via third party provider. In this article I'm going to look at forensic artifacts, which can be found during forensic examination of a Windows endpoint.

NextCloud is cross-platform, so you can find versions for desktop operating systems, like Windows, macOS and Linux, as well as mobile applications for Android in iOS. By default, on Windows 10 (x64) system it will be installed under C:\Program Files\Nextcloud, and create Nextcloud folder under C:\Users\%username% - the contents of this folder will be synched with the Nextcloud server. But this folder contains not only actual files, but also an SQLite database with these files' metadata, which is really useful for Nextcloud forensics. It has "hidden" attribute and named ._sync_<unique_id>.db:

Figure 1. An SQLite database with files' metadata located under C:\Users\%username%\Nextcloud


The most interesting table inside this database is metadata. Here are the most interesting columns:


  • path – path to a file or a folder
  • inode – MFT entry number of a file or a folder
  • modtime – last modification timestamp in Unix Epoch format
  • filesize – file size in bytes
  • contentChecksum – SHA1 hash of each file


We can easily query this data with DB Browser for SQLite, for example:

Figure 2. An SQL query for extracting data from the metadata table


As this is an SQLite database, an examiner can benefit from analysis of free lists and unallocated space – it may uncover some information about deleted files:

Figure 3. Information about a deleted file found in the database's free space


Of course, this SQLite database isn't the only source of valuable information. Another location digital forensic examiners will find useful is C:\Users\%username%\AppData\Roaming\Nextcloud. This folder contains the following files:


Figure 4. The contents of C:\Users\%username%\AppData\Roaming\Nextcloud


The first file, nextcloud.cfg, contains information about the application's configuration, including synched folders, server address, username, etc.

Nextcloud_sync.log contains lots of valuable information as this file is used for logging of synchronization process. Let's look at its most useful parts:


  • timestamp – the time when the action occurred
  • file – the name of the file
  • instruction – action occurred, can be INST_NEW (new file), INST_RENAME (file renamed), INST_SYNC (file synchronized), INST_REMOVE (file deleted)
  • dir – shows if a file was downloaded or uploaded
  • modtime – file's modification time in Unix Epoch format
  • etag – unique value that is used by Nextcloud to track file's changes, it looks like a hash of the file, but according to Nextcloud it's not. You can find the same value in the SQLite database we looked at previously in the md5 column of the metadata table
  • size – the size of the file in bytes


Here is an example of Nextcloud_sync.log's entries:

Figure 5. Information about file deletion obtained from Nextcloud_sync.log


The last file, sync-exclude.lst, contains information about which files shouldn't be synchronized with Nextcloud server.

As you can see, Nextcloud for Windows is a very forensically-friendly application. To collect its data from multiple endpoints you can use KAPE, for example. Here are a target and a module to collect and parse this data:


Description: Nextcloud sync database, logs and configs

Author: Oleg Skulkin

Version: 1.0

Id: 0b11b30c-2781-4979-8d3d-95bb05fc96ec

RecreateDirectories: true



        Name: Nextcloud Sync Database

        Category: Apps

        Path: C:\Users\*\Nextcloud\*.db*

        IsDirectory: False

        Recursive: False


        Name: Nextcloud Logs and Configs

        Category: Apps

        Path: C:\Users\*\AppData\Roaming\Nextcloud

        IsDirectory: True

        Recursive: True

Description: Parses Nextcloud's sync database

Category: FileKnowledge

Author: Oleg Skulkin

Version: 1.0

Id: fd355b7c-798e-4761-9d65-f6cca1610cfa


ExportFormat: csv

FileMask: "*.db"



        Executable: sqlite3.exe

        CommandLine: -header -separator "," %sourceFile% "SELECT path as \"File Path\", inode as \"MFT Entry Number\", datetime(modtime,'unixepoch') as \"Modified (UTC)\", filesize as \"Size (bytes)\", contentChecksum as \"SHA1\" FROM metadata"

        ExportFormat: csv

        ExportFile: Nextcloud_%fileName%.csv


# Uses sqlite3.exe to extract data from Nextcloud sync database and export it to csv 

# Note: preferred to point msource to the folder with Nextcloud sync databases 



Originally published:

February 3, 2020
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013