Nextcloud is free and open source suite of client-server software for creating and using file hosting services, so it can be easily installed on a private server or used via third party provider. In this article I’m going to look at forensic artifacts, which can be found during forensic examination of a Windows endpoint.

NextCloud is cross-platform, so you can find versions for desktop operating systems, like Windows, macOS and Linux, as well as mobile applications for Android in iOS. By default, on Windows 10 (x64) system it will be installed under C:\Program Files\Nextcloud, and create Nextcloud folder under C:\Users\%username% – the contents of this folder will be synched with the Nextcloud server. But this folder contains not only actual files, but also an SQLite database with these files’ metadata, which is really useful for Nextcloud forensics. It has “hidden” attribute and named ._sync_<unique_id>.db:

An SQLite database with files' metadata Nextcloud

Figure 1. An SQLite database with files’ metadata located under C:\Users\%username%\Nextcloud

The most interesting table inside this database is metadata. Here are the most interesting columns:

  • path – path to a file or a folder
  • inode – MFT entry number of a file or a folder
  • modtime – last modification timestamp in Unix Epoch format
  • filesize – file size in bytes
  • contentChecksum – SHA1 hash of each file

We can easily query this data with DB Browser for SQLite, for example:

An SQL query for extracting data from the metadata table

Figure 2. An SQL query for extracting data from the metadata table

As this is an SQLite database, an examiner can benefit from analysis of free lists and unallocated space – it may uncover some information about deleted files:

Information about a deleted file found in the database's free space

Figure 3. Information about a deleted file found in the database’s free space

Of course, this SQLite database isn’t the only source of valuable information. Another location digital forensic examiners will find useful is C:\Users\%username%\AppData\Roaming\Nextcloud. This folder contains the following files:

The contents of Nextcloud folder

Figure 4. The contents of C:\Users\%username%\AppData\Roaming\Nextcloud

The first file, nextcloud.cfg, contains information about the application’s configuration, including synched folders, server address, username, etc.
Nextcloud_sync.log contains lots of valuable information as this file is used for logging of synchronization process. Let’s look at its most useful parts:

  • timestamp – the time when the action occurred
  • file – the name of the file
  • instruction – action occurred, can be INST_NEW (new file), INST_RENAME (file renamed), INST_SYNC (file synchronized), INST_REMOVE (file deleted)
  • dir – shows if a file was downloaded or uploaded
  • modtime – file’s modification time in Unix Epoch format
  • etag – unique value that is used by Nextcloud to track file’s changes, it looks like a hash of the file, but according to Nextcloud it’s not. You can find the same value in the SQLite database we looked at previously in the md5 column of the metadata table
  • size – the size of the file in bytes

Here is an example of Nextcloud_sync.log’s entries:

Information about file deletion obtained from Nextcloud_sync.log

Figure 5. Information about file deletion obtained from Nextcloud_sync.log

The last file, sync-exclude.lst, contains information about which files shouldn’t be synchronized with Nextcloud server.

As you can see, Nextcloud for Windows is a very forensically-friendly application. To collect its data from multiple endpoints you can use KAPE, for example. Here are a target and a module to collect and parse this data:

Description: Nextcloud sync database, logs and configs
Author: Oleg Skulkin
Version: 1.0
Id: 0b11b30c-2781-4979-8d3d-95bb05fc96ec
RecreateDirectories: true
        Name: Nextcloud Sync Database
        Category: Apps
        Path: C:\Users\*\Nextcloud\*.db*
        IsDirectory: False
        Recursive: False
        Name: Nextcloud Logs and Configs
        Category: Apps
        Path: C:\Users\*\AppData\Roaming\Nextcloud
        IsDirectory: True
        Recursive: True

Description: Parses Nextcloud's sync database
Category: FileKnowledge
Author: Oleg Skulkin
Version: 1.0
Id: fd355b7c-798e-4761-9d65-f6cca1610cfa
ExportFormat: csv
FileMask: "*.db"
        Executable: sqlite3.exe
        CommandLine: -header -separator "," %sourceFile% "SELECT path as \"File Path\", inode as \"MFT Entry Number\", datetime(modtime,'unixepoch') as \"Modified (UTC)\", filesize as \"Size (bytes)\", contentChecksum as \"SHA1\" FROM metadata"
        ExportFormat: csv	
        ExportFile: Nextcloud_%fileName%.csv

# Uses sqlite3.exe to extract data from Nextcloud sync database and export it to csv 
# Note: preferred to point msource to the folder with Nextcloud sync databases 

Digital Forensics and Malware Analysis

Our forensic and malware analyses have helped victims of infamous hacker groups come out as victors in courts of law. Our experts can do the same for your company.