I recently reupped my GCFE certification. As I was going through the updated content, I came across a section on cloud storage forensics. This was not in the course when I originally took it; time to update some notes. There was one OneDrive settings file that caught my eye. <UserCid>.dat. Let’s take a peek!
According to the SANS FOR500 course, the <UserCid>.dat contains strings that “show every active file in synced folders, including local files and files available only in the cloud. Files and folders shared with the current user (from a different OneDrive account) can also be present in this list.” The suggested method for obtaining the file/folder names is to use Eric Zimmerman’s “bstrings.exe” tool. This is great, but what if we can do one better.
1. Example: bstrings.exe ran against <UserCid>.dat
If we open the <UserCid>.dat in a hex editor, not only does it contain file/folder names, but there is also a series of UUIDs associated with the file/folder. With these UUIDs, we can begin to reconstruct the folder layout for OneDrive. To make this easier, OneDriveExplorer was created.
2. Example: <UserCid>.dat in hex editor
OneDriveExplorer comes in a command line and GUI version. It currently only works on .dat files sourced from OneDrive for Business accounts. The command line outputs the contents of the <UserCid>.dat file into a json format. By using the –pretty option, the json output will be in a more human readable format. Let’s open the same file we ran bstrings.exe against earlier in the GUI version of OneDriveExplorer. We can see that not only is “Vibrainium(1).doc” under the “Research” folder, but other files and folders are in that location also. Although we could get the folder structure form the disk image, we also have the UUID of the file. This UUID is the file ID in OneDrive.
3. Example: OneDriveExplorer compared to bstrings.exe
4. Example: Object_UUID found in URL
OneDriveExplorer provides better way to examine the <UserCid>.dat file. Not only can we obtain file/folder names, but we get the added benefit of seeing the OneDrive folder layout and the file IDs. There is more information to be found in <UserCid>.dat and I hope this inspires you to research the file further. OneDriveExplorer can be found on GitHub. Be curious!