Cloud-based Forensic Artifacts: ADrive

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
ADrive 1.5

Description
Provides backup, synchronization, and sharing on Windows, Mac, Linux, and Android. Provides the ability to use FTP, remote file transfer (from other sites directly to your account), collaboration, concurrent logins, and online editing (via Zoho).

Paid versions offer SSL (not available with free), FTP up/down, 16GB file transfers, remote transfer (internet to internet).
Free version can only be used through browser, no local client, w/50GB!
ADrive Desktop (local client) is written in AdobeAIR.

A sample of artifacts from the installation and use of ADrive 1.5 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Wow6432Node\Microsoft\Tracing\ADrive Desktop_RASAPI32
\Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\1

File Locations
Application Data Files: AppData\Roaming\com.adrive.ADriveDesktop.9E1195EE779B0F966F518632F3A0F64E53222DC6.1

Application Executable Files: Program Files (x86)\ADrive Desktop\ – ADrive Desktop.exe

Sync/Backup Files: Any, User-Defined, File Type

Files of Interest

Adrive.db, install.log (Adobe AIR)

Research Links

http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm