From ForensicsWiki
Revision as of 06:58, 25 September 2015 by Joachim Metz (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.


Dropbox is a service with dedicated applications allowing people to share their files between multiple computers (including smartphones) and each other. It is thus similar in purpose to Wuala, SpiderOak and Box.com.


Dropbox has been shown to have major design flaws, making it very insecure. A key problem is that the files are encrypted by Dropbox's servers, which allows Dropbox (and legal authorities) to get access to the files. In June 2011 Dropbox accidentally broke their authentication control system and allowed access to any account without a password, and thus potentially every user's files to be exposed to the world.

Client Application

The Dropbox client running on windows was analyzed and shown to leave a significant amount of data debris behind when deleted. An overview of the report is here. Even after deletion of the application, this would allow a forensic analyst to detect that Dropbox has been in use, potentially identify other computers linked to the same account, and potentially recover files that were shared using the service.

Server-side file encryption has some benefits to both user and provider, in that if someone uploads a file already stored by Dropbox, then the client makes a fingerprint (hash) of the file and Dropbox's servers will flag that the file doesn't need to be uploaded, so the client "upload" process completes much faster. However, this also means that it is possible to detect if a file has already been stored by Dropbox, and therefore a legal authority can take action against Dropbox to identify other "owners".


Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Dropbox\
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Dropbox\

Windows Vista and later


Mac OS X




config.db and config.dbx

The "config.db" SQLite database contains the configuration for the account. It contains:

  • the email address associated with the account;
  • the "host_id";
  • local path information.

"config.dbx" is an encrypted variant of "config.db"

filecache.db and filecache.dbx

host.db and host.dbx

Server Side

According to online help, "All files stored online by Dropbox are encrypted and kept securely on Amazon's Simple Storage Service (S3) in multiple data centers located across the United States."

External Links