DriveFS Sleuth: Open-source tool for investigating Google Drive File Stream’s disk forensic artifacts

DriveFS Sleuth automates the investigation of Google Drive File Stream disk artifacts. The tool can parse the disk artifacts and build a filesystem tree-like structure enumerating the synchronized files along with their respective properties.

DriveFS Sleuth

“While engaged in a threat-hunting activity for a client to detect the misuse of file-syncing applications within their network, I identified the unauthorized use of Google Drive File Stream. Despite the noteworthy collaborative capabilities offered by such tools, they pose a potential risk to data security, particularly regarding exfiltration. I didn’t find any published research on associated artifacts at that time. Consequently, I undertook independent research to analyze the pertinent disk artifacts and developed DriveFS Sleuth based on the findings,” Amged Wageh, the tool’s creator, told Help Net Security.

DriveFS Sleuth features

Wageh told us that DriveFS Sleuth is known for its proficiency in analyzing forensic artifacts and seamlessly correlating them to offer crucial insights during investigations. The tool can identify logged-in accounts, even if they have logged out by the time of the investigation. It can determine the last synchronization date and construct a hierarchical tree structure for the synchronized items.

DriveFS Sleuth is adept at tracing the origins or the connected devices related to these synced items, and it investigates the mirroring roots and mirrored items. Additionally, it is skilled in retrieving information about deleted items whenever possible, and it addresses other relevant inquiries.

DriveFS Sleuth also provides comprehensive search functionalities to refine outputs to the most relevant ones. The tool skillfully compiles this information into an HTML report, thus enhancing the clarity and digestibility of the results. DriveFS Sleuth also offers CSV reports for more in-depth querying, providing users with a flexible and robust toolkit for their investigative needs.

Future plans

“While the existing version suffices for conducting comprehensive forensic investigations, I intend to research additional artifacts. This pursuit aims to augment the detection of deleted items and explore the potential utilization of cached contents for retrieving synced file data as per availability. Furthermore, there is a plan to enhance the visual aspects of the HTML template for improved presentation and user experience,” Wageh concluded.

DriveFS Sleuth is available for free on GitHub.

Must read:

Don't miss