Nextcloud is free and open source suite of client-server software for creating and using file hosting services, so it can be easily installed on a private server or used via third party provider. In this article I’m going to look at forensic artifacts, which can be found during forensic examination of a Windows endpoint.
NextCloud is cross-platform, so you can find versions for desktop operating systems, like Windows, macOS and Linux, as well as mobile applications for Android in iOS. By default, on Windows 10 (x64) system it will be installed under C:\Program Files\Nextcloud, and create Nextcloud folder under C:\Users\%username% – the contents of this folder will be synched with the Nextcloud server. But this folder contains not only actual files, but also an SQLite database with these files’ metadata, which is really useful for Nextcloud forensics. It has “hidden” attribute and named ._sync_<unique_id>.db:
The most interesting table inside this database is metadata. Here are the most interesting columns:
- path – path to a file or a folder
- inode – MFT entry number of a file or a folder
- modtime – last modification timestamp in Unix Epoch format
- filesize – file size in bytes
- contentChecksum – SHA1 hash of each file
We can easily query this data with DB Browser for SQLite, for example:
As this is an SQLite database, an examiner can benefit from analysis of free lists and unallocated space – it may uncover some information about deleted files:
Of course, this SQLite database isn’t the only source of valuable information. Another location digital forensic examiners will find useful is C:\Users\%username%\AppData\Roaming\Nextcloud. This folder contains the following files:
The first file, nextcloud.cfg, contains information about the application’s configuration, including synched folders, server address, username, etc.
Nextcloud_sync.log contains lots of valuable information as this file is used for logging of synchronization process. Let’s look at its most useful parts:
- timestamp – the time when the action occurred
- file – the name of the file
- instruction – action occurred, can be INST_NEW (new file), INST_RENAME (file renamed), INST_SYNC (file synchronized), INST_REMOVE (file deleted)
- dir – shows if a file was downloaded or uploaded
- modtime – file’s modification time in Unix Epoch format
- etag – unique value that is used by Nextcloud to track file’s changes, it looks like a hash of the file, but according to Nextcloud it’s not. You can find the same value in the SQLite database we looked at previously in the md5 column of the metadata table
- size – the size of the file in bytes
Here is an example of Nextcloud_sync.log’s entries:
The last file, sync-exclude.lst, contains information about which files shouldn’t be synchronized with Nextcloud server.
As you can see, Nextcloud for Windows is a very forensically-friendly application. To collect its data from multiple endpoints you can use KAPE, for example. Here are a target and a module to collect and parse this data:
Description: Nextcloud sync database, logs and configs Author: Oleg Skulkin Version: 1.0 Id: 0b11b30c-2781-4979-8d3d-95bb05fc96ec RecreateDirectories: true Targets: - Name: Nextcloud Sync Database Category: Apps Path: C:\Users\*\Nextcloud\*.db* IsDirectory: False Recursive: False - Name: Nextcloud Logs and Configs Category: Apps Path: C:\Users\*\AppData\Roaming\Nextcloud IsDirectory: True Recursive: True Description: Parses Nextcloud's sync database Category: FileKnowledge Author: Oleg Skulkin Version: 1.0 Id: fd355b7c-798e-4761-9d65-f6cca1610cfa BinaryUrl: https://www.sqlite.org/2019/sqlite-tools-win32-x86-3300100.zip ExportFormat: csv FileMask: "*.db" Processors: - Executable: sqlite3.exe CommandLine: -header -separator "," %sourceFile% "SELECT path as \"File Path\", inode as \"MFT Entry Number\", datetime(modtime,'unixepoch') as \"Modified (UTC)\", filesize as \"Size (bytes)\", contentChecksum as \"SHA1\" FROM metadata" ExportFormat: csv ExportFile: Nextcloud_%fileName%.csv ###### # Uses sqlite3.exe to extract data from Nextcloud sync database and export it to csv # Note: preferred to point msource to the folder with Nextcloud sync databases ######
Digital Forensics and Malware Analysis
Our forensic and malware analyses have helped victims of infamous hacker groups come out as victors in courts of law. Our experts can do the same for your company.