Security News > 2024 > January > DriveFS Sleuth: Open-source tool for investigating Google Drive File Stream’s disk forensic artifacts

DriveFS Sleuth automates the investigation of Google Drive File Stream disk artifacts.

The tool can parse the disk artifacts and build a filesystem tree-like structure enumerating the synchronized files along with their respective properties.

"While engaged in a threat-hunting activity for a client to detect the misuse of file-syncing applications within their network, I identified the unauthorized use of Google Drive File Stream. Despite the noteworthy collaborative capabilities offered by such tools, they pose a potential risk to data security, particularly regarding exfiltration. I didn't find any published research on associated artifacts at that time. Consequently, I undertook independent research to analyze the pertinent disk artifacts and developed DriveFS Sleuth based on the findings," Amged Wageh, the tool's creator, told Help Net Security.

Wageh told us that DriveFS Sleuth is known for its proficiency in analyzing forensic artifacts and seamlessly correlating them to offer crucial insights during investigations.

DriveFS Sleuth is adept at tracing the origins or the connected devices related to these synced items, and it investigates the mirroring roots and mirrored items.

"While the existing version suffices for conducting comprehensive forensic investigations, I intend to research additional artifacts. This pursuit aims to augment the detection of deleted items and explore the potential utilization of cached contents for retrieving synced file data as per availability. Furthermore, there is a plan to enhance the visual aspects of the HTML template for improved presentation and user experience," Wageh concluded.

News URL

https://www.helpnetsecurity.com/2024/01/04/drivefs-sleuth-investigating-google-drive-file-stream/