plaso icon indicating copy to clipboard operation
plaso copied to clipboard

Published 20 hours ago verified publisher icon log2timeline

OneDrive log parser

Open sydp opened this issue 3 years ago • 4 comments

Add support for OneDrive logs. There is some recent research on the log format in the blog post https://www.swiftforensics.com/2022/02/reading-onedrive-logs.html?m=1

sydp avatar Feb 15 '22 21:02 sydp

@sydp shall I assign this to you? looks like this would need the creation of test data and could benefit from a format specification.

joachimmetz avatar Feb 16 '22 04:02 joachimmetz

Yes, I'll take a look at generating some test data in the next few weeks and implement a dtfabric definition.

sydp avatar Feb 16 '22 06:02 sydp

Just a heads up. Newer versions of OneDrive no longer use ObfuscationStringMap.txt. It now uses a key to obfuscate the log. It is not known, at this time, how the key is used to obfuscate the data.

Beercow avatar Jul 06 '22 10:07 Beercow

Checked the logs folder on a Windows 11 instance running OneDrive version 22.141.0703.0002 and there is now a "general.keystore" file.

Contents example:

[{"CreatedTime" : <unix seconds timestamp?>,"Key" : <base64 encoded 256-bit random blob>,"Version" : 1}]

ObfuscateStringMap.txt still exists, however as reported, it seems some strings in the logs are encrypted, most likely using the key in general.keystore.

sydp avatar Aug 06 '22 13:08 sydp

Some updated research in a followup blog post:

https://www.swiftforensics.com/2022/11/reading-onedrive-logs-part-2.html

sydp avatar Nov 23 '22 22:11 sydp