Tool Shed Demo: OneDriveExplorer – Brian Maloney

With personal computers and corporate networks becoming more integrated with cloud solutions, cloud forensics has become an important part of the investigative process. When investigating OneDrive, there are multiple artifacts that need to be checked to ensure all files/folders are collected. The process becomes complicated quickly on multi-user systems.

This can lead to data loss if these artifacts are not checked or known about, making automation harder.

Developed through personal research and available on GitHub, OneDriveExplorer solves these issues.

OneDriveExplorer rebuilds the folder structure and parses more data, while preventing storage space and scope of authority issues that come along with collecting files via reparse points. This presentation aims to walk through important One Drive artifacts, how to use OneDriveExplorer, and what value can be added from using OneDriveExplorer compared to conventionally used tools.

Brian Maloney is a Digital Forensics Analyst at Thrivent Financial. Brian is the author of SEPparser and ProcDOT plugin pcap_tools. Brian can also be accredited with contributions to DeXRAY, improving its ability to extract McAfee and Symantec quarantine files. Brian holds a bachelor’s degree in Information Systems and Cybersecurity.