Hunting for Nextcloud Cloud Storage Forensic Artifacts on Endpoints | by Oleg Skulkin

Hunting for Nextcloud Cloud Storage Forensic Artifacts on Endpoints 

 

Nextcloud is free and open source suite of client-server software for creating and using file hosting services, so it can be easily installed on a private server or used via third party provider. In this article I'm going to look at forensic artifacts, which can be found during forensic examination of a Windows endpoint.

NextCloud is cross-platform, so you can find versions for desktop operating systems, like Windows, macOS and Linux, as well as mobile applications for Android in iOS. By default, on Windows 10 (x64) system it will be installed under C:\Program Files\Nextcloud, and create Nextcloud folder under C:\Users\%username% - the contents of this folder will be synched with the Nextcloud server. But this folder contains not only actual files, but also an SQLite database with these files' metadata, which is really useful for Nextcloud forensics. It has "hidden" attribute and named ._sync_<unique_id>.db:

Figure 1. An SQLite database with files' metadata located under C:\Users\%username%\Nextcloud

 

The most interesting table inside this database is metadata. Here are the most interesting columns:

 

  • path – path to a file or a folder
  • inode – MFT entry number of a file or a folder
  • modtime – last modification timestamp in Unix Epoch format
  • filesize – file size in bytes
  • contentChecksum – SHA1 hash of each file

 

We can easily query this data with DB Browser for SQLite, for example:

Figure 2. An SQL query for extracting data from the metadata table

 

As this is an SQLite database, an examiner can benefit from analysis of free lists and unallocated space – it may uncover some information about deleted files:

Figure 3. Information about a deleted file found in the database's free space

 

Of course, this SQLite database isn't the only source of valuable information. Another location digital forensic examiners will find useful is C:\Users\%username%\AppData\Roaming\Nextcloud. This folder contains the following files:

 

Figure 4. The contents of C:\Users\%username%\AppData\Roaming\Nextcloud

 

The first file, nextcloud.cfg, contains information about the application's configuration, including synched folders, server address, username, etc.

Nextcloud_sync.log contains lots of valuable information as this file is used for logging of synchronization process. Let's look at its most useful parts:

 

  • timestamp – the time when the action occurred
  • file – the name of the file
  • instruction – action occurred, can be INST_NEW (new file), INST_RENAME (file renamed), INST_SYNC (file synchronized), INST_REMOVE (file deleted)
  • dir – shows if a file was downloaded or uploaded
  • modtime – file's modification time in Unix Epoch format
  • etag – unique value that is used by Nextcloud to track file's changes, it looks like a hash of the file, but according to Nextcloud it's not. You can find the same value in the SQLite database we looked at previously in the md5 column of the metadata table
  • size – the size of the file in bytes

 

Here is an example of Nextcloud_sync.log's entries:

Figure 5. Information about file deletion obtained from Nextcloud_sync.log

 

The last file, sync-exclude.lst, contains information about which files shouldn't be synchronized with Nextcloud server.

As you can see, Nextcloud for Windows is a very forensically-friendly application. To collect its data from multiple endpoints you can use KAPE, for example. Here are a target and a module to collect and parse this data:

 

Description: Nextcloud sync database, logs and configs

Author: Oleg Skulkin

Version: 1.0

Id: 0b11b30c-2781-4979-8d3d-95bb05fc96ec

RecreateDirectories: true

Targets:

    -

        Name: Nextcloud Sync Database

        Category: Apps

        Path: C:\Users\*\Nextcloud\*.db*

        IsDirectory: False

        Recursive: False

    -

        Name: Nextcloud Logs and Configs

        Category: Apps

        Path: C:\Users\*\AppData\Roaming\Nextcloud

        IsDirectory: True

        Recursive: True

Description: Parses Nextcloud's sync database

Category: FileKnowledge

Author: Oleg Skulkin

Version: 1.0

Id: fd355b7c-798e-4761-9d65-f6cca1610cfa

BinaryUrl: https://www.sqlite.org/2019/sqlite-tools-win32-x86-3300100.zip

ExportFormat: csv

FileMask: "*.db"

Processors:

    -

        Executable: sqlite3.exe

        CommandLine: -header -separator "," %sourceFile% "SELECT path as \"File Path\", inode as \"MFT Entry Number\", datetime(modtime,'unixepoch') as \"Modified (UTC)\", filesize as \"Size (bytes)\", contentChecksum as \"SHA1\" FROM metadata"

        ExportFormat: csv

        ExportFile: Nextcloud_%fileName%.csv

###### 

# Uses sqlite3.exe to extract data from Nextcloud sync database and export it to csv 

# Note: preferred to point msource to the folder with Nextcloud sync databases 

######

 

Originally published: https://www.group-ib.com/blog/nextcloud#item8989742

February 3, 2020

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013