Google Drive Artifacts - Explained

Google Drive

Google Drive is a free cloud-based file storage & synchronization service provided by Google Inc. (Paid service offers more storage and functionality)

Users can choose to download and install the Google Drive application onto their machines in order to upload & shares files with each other.

Google Docs is incorporated into Google Drive that offers web-based office suites applications such as Word document that allows users to create and edit documents online while collaborating in real-time with other users.

Test Environment

Google Drive version 1.6.3837.2778 application running on Windows 7 Home Premium SP1 x64

Default Installation Path

C\Program Files\Google\Drive                                  

Default Sync Folder

C\Users\<username>\Google Drive      

Default Database Path  

C\Users\<username>\AppData\Local\Google\Drive

Before data is synced into Google Drive

When Google Drive is installed for the first time, the following artifacts will be created on the default database folder (i.e. C\Users\<username>\AppData\Local\Google\Drive)

Artifacts in default database folder

The following files are in SQlite format 3 and can be opened using most of the SQlite browsers

i)                    snapshot.db

ii)                   sync_config.db

snapshot.db

This database file contains 6 tables and under local_entry table, there is one default record (i.e. the Google Drive Sync Folder itself) being stored.

The inode_number assigned to the sync folder (i.e. 2251799813810172) will be the same throughout.

snapshot.db

Under the mapping table, it also shows the same inode number assigned to the root sync folder.

snapshot.db

sync_config.db

This database file has only one table with containing several records including; 

i) the Google Drive version used, 

ii) the local sync root path and 

iii) the user email address.

sync_config.db

After data is synced into Google Drive

Going back to the default database path directory C\Users\<username>\AppData\Local\Google\Drive, an additional 4 files (highlighted in boxes below) were created.

These are temporary files created by SQLite, mainly used for transaction logging such as rollback changes when a transaction fails. The 2 main files to analyze are still snapshot.db and sync_config.db

Default Database Folder

snapshot.db

I uploaded and synced a total of 17 files with various formats onto Google Drive for testing purposes

Under local_entry table of the snapshot.db file, it shows the following:

snapshot.db

Note that local_entry table shows 18 files (17 files + 1 default sync folder)

Inode_number -              Unique inode number assigned to each file.

    Under the local_relations table, it refers to the child_inode_number to its     

    parent_inode_number

Filename             -              Actual filename of the file in the local default sync folder

Modified             -              This is in Unix time, i.e. the number of seconds since 1 Jan 1970

                                           Example:     1355211749 = Tue, 11 December 2012 07:42:29 UTC 00:00

Checksum           -              MD5 checksum of the file, as per calculated in the local default sync folder of the computer. Google Drive keeps records of all checksums of all files that are uploaded onto it. Probably to detect file content changes and automatic syncing of those files if necessary.

Size                        -              File size measured in bytes.

Note that a Folder will have NO date modified, NO checksum and NO size values and will be indicated with a “Null” value instead. 

Under the local_relations table, we see:

i)                    child_inode_number

ii)                   parent_inode_number

We can refer to this as a file (child) to folder (parent) relationship.

Explanation

The bottom 2 files with their child_inode_number 844424930257377 and 844424930257378 actually resides within a folder with its parent_inode_number 844424930257376

 The rest of the files are residing directly in the default sync folder (C\Users\<username>\Google Drive)

Note that for archive file formats (e.g. zip, rar), they are considered as an individual file, regardless if there are several files inside the archive. The only way to know if a file is in an archive file format is via the local_entry table via the filename extension. There is no way to know the contents of the files in the archive.

 

snapshot.db

 

sync_config.db

No significant changes made to this database file.

Creating cloud-based documents using Google Docs

When user login to their Google Drive account on the web, they can choose to create documents on the cloud.

E.g. when a new Word document is created on the cloud using Google Docs, it has a .gdoc extension.

Under the local_entry table in snapshot.db, we can see the file

Under the local_relations table in snapshot.db, we can see that it maps back to the default sync folder directory even though the file was not downloaded to the local machine. In other words, this .gdoc file does not exist locally and only exist in the Google Drive cloud but the snapshot.db file still keeps a record of this cloud file in its database.

snapshot.db

How to differentiate files that are created on the Cloud and NOT those created locally on the machine

Using snapshot.db, under the cloud_entry table, files with “created” timestamp are those that are created in the cloud.  These include cloud-created folders.

See example below

snapshot.db

doc_type             -              Refers to the type of document created on the cloud.

                                                6              -              Word document

                                                2              -              Powerpoint

                                                4              -              Excel Spreadsheet & Form document

                                                5              -              Drawing document

                                                0              -              Folder 

Posted in: