DriveFS Sleuth: Open-source tool for investigating Google Drive File Stream’s disk forensic artifacts
DriveFS Sleuth automates the investigation of Google Drive File Stream disk artifacts. The tool can parse the disk artifacts and build a filesystem tree-like structure enumerating the synchronized files along with their respective properties.
“While engaged in a threat-hunting activity for a client to detect the misuse of file-syncing applications within their network, I identified the unauthorized use of Google Drive File Stream. Despite the noteworthy collaborative capabilities offered by such tools, they pose a potential risk to data security, particularly regarding exfiltration. I didn’t find any published research on associated artifacts at that time. Consequently, I undertook independent research to analyze the pertinent disk artifacts and developed DriveFS Sleuth based on the findings,” Amged Wageh, the tool’s creator, told Help Net Security.
DriveFS Sleuth features
Wageh told us that DriveFS Sleuth is known for its proficiency in analyzing forensic artifacts and seamlessly correlating them to offer crucial insights during investigations. The tool can identify logged-in accounts, even if they have logged out by the time of the investigation. It can determine the last synchronization date and construct a hierarchical tree structure for the synchronized items.
DriveFS Sleuth is adept at tracing the origins or the connected devices related to these synced items, and it investigates the mirroring roots and mirrored items. Additionally, it is skilled in retrieving information about deleted items whenever possible, and it addresses other relevant inquiries.
DriveFS Sleuth also provides comprehensive search functionalities to refine outputs to the most relevant ones. The tool skillfully compiles this information into an HTML report, thus enhancing the clarity and digestibility of the results. DriveFS Sleuth also offers CSV reports for more in-depth querying, providing users with a flexible and robust toolkit for their investigative needs.
“While the existing version suffices for conducting comprehensive forensic investigations, I intend to research additional artifacts. This pursuit aims to augment the detection of deleted items and explore the potential utilization of cached contents for retrieving synced file data as per availability. Furthermore, there is a plan to enhance the visual aspects of the HTML template for improved presentation and user experience,” Wageh concluded.
DriveFS Sleuth is available for free on GitHub.
More open-source tools to consider:
- Latio Application Security Tester: Use AI to scan your code
- CVEMap: Open-source tool to query, browse and search CVEs
- Faction: Open-source pentesting report generation and collaboration framework
- Adalanche: Open-source Active Directory ACL visualizer, explorer
- AuthLogParser: Open-source tool for analyzing Linux authentication logs
- Subdominator: Open-source tool for detecting subdomain takeovers
- EMBA: Open-source security analyzer for embedded devices