SANS DFIR Summit 2022
Speaker: Brian Maloney
With personal computers and corporate networks becoming more integrated with cloud solutions, cloud forensics has become an important part of the investigative process. When investigating OneDrive, there are multiple artifacts that need to be checked to ensure all files/folders are collected. The process becomes complicated quickly on multi-user systems. This can lead to data loss if these artifacts are not checked or known about, making automation harder. Developed through personal research and available on GitHub, OneDriveExplorer solves these issues. OneDriveExplorer rebuilds the folder structure and parses more data, while preventing storage space and scope of authority issues that come along with collecting files via reparse points. This presentation aims to walk through important OneDrive artifacts, how to use OneDriveExplorer, and what value can be added from using OneDriveExplorer compared to conventionally used tools.
View upcoming Summits: [ Ссылка ]
Download the presentation slides (SANS account required) at [ Ссылка ]
