17.01.2020

Hunting for Nextcloud Cloud Storage Forensic Artifacts on Endpoints

Oleg Skulkin
Senior Digital Forensics Analyst at Group-IB
Nextcloud is free and open source suite of client-server software for creating and using file hosting services, so it can be easily installed on a private server or used via third party provider. In this article I'm going to look at forensic artifacts, which can be found during forensic examination of a Windows endpoint.
NextCloud is cross-platform, so you can find versions for desktop operating systems, like Windows, macOS and Linux, as well as mobile applications for Android in iOS. By default, on Windows 10 (x64) system it will be installed under C:\Program Files\Nextcloud, and create Nextcloud folder under C:\Users\%username% - the contents of this folder will be synched with the Nextcloud server. But this folder contains not only actual files, but also an SQLite database with these files' metadata, which is really useful for Nextcloud forensics. It has "hidden" attribute and named ._sync_<unique_id>.db:
Figure 1. An SQLite database with files' metadata located under C:\Users\%username%\Nextcloud
The most interesting table inside this database is metadata. Here are the most interesting columns:

  • path – path to a file or a folder
  • inode – MFT entry number of a file or a folder
  • modtime – last modification timestamp in Unix Epoch format
  • filesize – file size in bytes
  • contentChecksum – SHA1 hash of each file
We can easily query this data with DB Browser for SQLite, for example:
    Figure 2. An SQL query for extracting data from the metadata table
    As this is an SQLite database, an examiner can benefit from analysis of free lists and unallocated space – it may uncover some information about deleted files:
    Figure 3. Information about a deleted file found in the database's free space
    Of course, this SQLite database isn't the only source of valuable information. Another location digital forensic examiners will find useful is C:\Users\%username%\AppData\Roaming\Nextcloud. This folder contains the following files:
    Figure 4. The contents of C:\Users\%username%\AppData\Roaming\Nextcloud
    The first file, nextcloud.cfg, contains information about the application's configuration, including synched folders, server address, username, etc.
    Nextcloud_sync.log contains lots of valuable information as this file is used for logging of synchronization process. Let's look at its most useful parts:

    • timestamp – the time when the action occurred
    • file – the name of the file
    • instruction – action occurred, can be INST_NEW (new file), INST_RENAME (file renamed), INST_SYNC (file synchronized), INST_REMOVE (file deleted)
    • dir – shows if a file was downloaded or uploaded
    • modtime – file's modification time in Unix Epoch format
    • etag – unique value that is used by Nextcloud to track file's changes, it looks like a hash of the file, but according to Nextcloud it's not. You can find the same value in the SQLite database we looked at previously in the md5 column of the metadata table
    • size – the size of the file in bytes
    Here is an example of Nextcloud_sync.log's entries:
    Figure 5. Information about file deletion obtained from Nextcloud_sync.log
    The last file, sync-exclude.lst, contains information about which files shouldn't be synchronized with Nextcloud server.
    As you can see, Nextcloud for Windows is a very forensically-friendly application. To collect its data from multiple endpoints you can use KAPE, for example. Here are a target and a module to collect and parse this data:
    Description: Nextcloud sync database, logs and configs
    Author: Oleg Skulkin
    Version: 1.0
    Id: 0b11b30c-2781-4979-8d3d-95bb05fc96ec
    RecreateDirectories: true
    Targets:	
        -	
            Name: Nextcloud Sync Database
            Category: Apps
            Path: C:\Users\*\Nextcloud\*.db*
            IsDirectory: False
            Recursive: False
        -
            Name: Nextcloud Logs and Configs
            Category: Apps
            Path: C:\Users\*\AppData\Roaming\Nextcloud
            IsDirectory: True
            Recursive: True
    Description: Parses Nextcloud's sync database
    Category: FileKnowledge
    Author: Oleg Skulkin
    Version: 1.0
    Id: fd355b7c-798e-4761-9d65-f6cca1610cfa
    BinaryUrl: https://www.sqlite.org/2019/sqlite-tools-win32-x86-3300100.zip
    ExportFormat: csv
    FileMask: "*.db"
    Processors:
        -	
            Executable: sqlite3.exe
            CommandLine: -header -separator "," %sourceFile% "SELECT path as \"File Path\", inode as \"MFT Entry Number\", datetime(modtime,'unixepoch') as \"Modified (UTC)\", filesize as \"Size (bytes)\", contentChecksum as \"SHA1\" FROM metadata"
            ExportFormat: csv	
            ExportFile: Nextcloud_%fileName%.csv
    ###### 
    # Uses sqlite3.exe to extract data from Nextcloud sync database and export it to csv 
    # Note: preferred to point msource to the folder with Nextcloud sync databases 
    ######